7:27 a.m.
Hi,
we configured AzureAD to use our keycloak instance, like this:
$cer="$our_cert_string"
$uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
$dom="test.domain.cloud"
Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated
-ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
-IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
When I know try to login on the azure portal, I get successfully
redirected
to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
I get the following error from keycloak:
2017-08-22 11:49:47,735 DEBUG
[org.hibernate.internal.util.EntityPrinter] (default task-3)
org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
sessionId=null, time=1503402587482, error=invalid_authn_request,
type=LOGIN_ERROR, userId=null,
detailsJson={"reason":"invalid_destination"}}
The SAML AuthnRequest sent by M$ looks as follows:
2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
(default task-3) <samlp:AuthnRequest
ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
IssueInstant="2017-08-22T11:47:46.793Z"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
What we can see, is that the destination (optional?) attribute is
missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
Why is keycloak doing some strict checking about the optional
destination parameter?
Cheers Jonas
4:53 a.m.
Hi,
any further information needed? I would like to get KC <-> Azure AD to
be connected. Otherwise we are sadly being obliged to look after another
IdP solution :(
Cheers Jonas
On 22.08.17 14:27, Jonas Weismueller wrote:
Hi,
we configured AzureAD to use our keycloak instance, like this:
$cer="$our_cert_string"
$uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
$dom="test.domain.cloud"
Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated
-ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
-IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
When I know try to login on the azure portal, I get successfully
redirected
to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
I get the following error from keycloak:
2017-08-22 11:49:47,735 DEBUG
[org.hibernate.internal.util.EntityPrinter] (default task-3)
org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
sessionId=null, time=1503402587482, error=invalid_authn_request,
type=LOGIN_ERROR, userId=null,
detailsJson={"reason":"invalid_destination"}}
The SAML AuthnRequest sent by M$ looks as follows:
2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
(default task-3) <samlp:AuthnRequest
ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
IssueInstant="2017-08-22T11:47:46.793Z"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
What we can see, is that the destination (optional?) attribute is
missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
Why is keycloak doing some strict checking about the optional
destination parameter?
Cheers Jonas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:20 a.m.
That is indeed a bug, could you please create JIRA for that?
Thanks
--Hynek
On Fri, Aug 25, 2017 at 11:53 AM, Jonas Weismueller <jw(a)blue-yonder.com> wrote:
Hi,
any further information needed? I would like to get KC <-> Azure AD to
be connected. Otherwise we are sadly being obliged to look after another
IdP solution :(
Cheers Jonas
On 22.08.17 14:27, Jonas Weismueller wrote:
> Hi,
>
> we configured AzureAD to use our keycloak instance, like this:
>
>
>
> $cer="$our_cert_string"
>
> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
>
> $dom="test.domain.cloud"
>
> Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated
> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
>
>
>
> When I know try to login on the azure portal, I get successfully
> redirected
> to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
> I get the following error from keycloak:
>
> 2017-08-22 11:49:47,735 DEBUG
> [org.hibernate.internal.util.EntityPrinter] (default task-3)
> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
> sessionId=null, time=1503402587482, error=invalid_authn_request,
> type=LOGIN_ERROR, userId=null,
detailsJson={"reason":"invalid_destination"}}
>
>
>
> The SAML AuthnRequest sent by M$ looks as follows:
>
> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
> (default task-3) <samlp:AuthnRequest
> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
> IssueInstant="2017-08-22T11:47:46.793Z"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
>
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
>
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
>
>
>
> What we can see, is that the destination (optional?) attribute is
> missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
>
>
>
> Why is keycloak doing some strict checking about the optional
> destination parameter?
>
>
>
> Cheers Jonas
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
5:39 a.m.
Sure, thanks a lot for your reply!
On 25.08.17 12:20, Hynek Mlnarik wrote:
That is indeed a bug, could you please create JIRA for that?
Thanks
--Hynek
On Fri, Aug 25, 2017 at 11:53 AM, Jonas Weismueller <jw(a)blue-yonder.com> wrote:
> Hi,
> any further information needed? I would like to get KC <-> Azure AD to
> be connected. Otherwise we are sadly being obliged to look after another
> IdP solution :(
>
> Cheers Jonas
>
> On 22.08.17 14:27, Jonas Weismueller wrote:
>> Hi,
>>
>> we configured AzureAD to use our keycloak instance, like this:
>>
>>
>>
>> $cer="$our_cert_string"
>>
>> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
>>
>> $dom="test.domain.cloud"
>>
>> Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated
>> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
>> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
>>
>>
>>
>> When I know try to login on the azure portal, I get successfully
>> redirected
>> to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
>> I get the following error from keycloak:
>>
>> 2017-08-22 11:49:47,735 DEBUG
>> [org.hibernate.internal.util.EntityPrinter] (default task-3)
>> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
>> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
>> sessionId=null, time=1503402587482, error=invalid_authn_request,
>> type=LOGIN_ERROR, userId=null,
detailsJson={"reason":"invalid_destination"}}
>>
>>
>>
>> The SAML AuthnRequest sent by M$ looks as follows:
>>
>> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
>> (default task-3) <samlp:AuthnRequest
>> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
>> IssueInstant="2017-08-22T11:47:46.793Z"
>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
>>
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
>>
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
>>
>>
>>
>> What we can see, is that the destination (optional?) attribute is
>> missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
>>
>>
>>
>> Why is keycloak doing some strict checking about the optional
>> destination parameter?
>>
>>
>>
>> Cheers Jonas
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
8:30 a.m.
destination is validated to be the same URL the SAML request was posted
to. This is a security check to protect against replay attacks.
On 8/25/17 5:53 AM, Jonas Weismueller wrote:
Hi,
any further information needed? I would like to get KC <-> Azure AD to
be connected. Otherwise we are sadly being obliged to look after another
IdP solution :(
Cheers Jonas
On 22.08.17 14:27, Jonas Weismueller wrote:
> Hi,
>
> we configured AzureAD to use our keycloak instance, like this:
>
>
>
> $cer="$our_cert_string"
>
> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
>
> $dom="test.domain.cloud"
>
> Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated
> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
>
>
>
> When I know try to login on the azure portal, I get successfully
> redirected
> to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
> I get the following error from keycloak:
>
> 2017-08-22 11:49:47,735 DEBUG
> [org.hibernate.internal.util.EntityPrinter] (default task-3)
> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
> sessionId=null, time=1503402587482, error=invalid_authn_request,
> type=LOGIN_ERROR, userId=null,
detailsJson={"reason":"invalid_destination"}}
>
>
>
> The SAML AuthnRequest sent by M$ looks as follows:
>
> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
> (default task-3) <samlp:AuthnRequest
> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
> IssueInstant="2017-08-22T11:47:46.793Z"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
>
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
>
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
>
>
>
> What we can see, is that the destination (optional?) attribute is
> missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
>
>
>
> Why is keycloak doing some strict checking about the optional
> destination parameter?
>
>
>
> Cheers Jonas
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:24 a.m.
Hi,
I already read about a similar statement. But as far as I understand it
is optional by specification and thus it would be nice if it is at least
configurable to turn it on/off.
I also can try to convince Microsoft to change their behavior, but I
don't know if it will be possible ;)
Cheers Jonas
On 25.08.17 15:30, Bill Burke wrote:
destination is validated to be the same URL the SAML request was
posted
to. This is a security check to protect against replay attacks.
On 8/25/17 5:53 AM, Jonas Weismueller wrote:
> Hi,
> any further information needed? I would like to get KC <-> Azure AD to
> be connected. Otherwise we are sadly being obliged to look after another
> IdP solution :(
>
> Cheers Jonas
>
> On 22.08.17 14:27, Jonas Weismueller wrote:
>> Hi,
>>
>> we configured AzureAD to use our keycloak instance, like this:
>>
>>
>>
>> $cer="$our_cert_string"
>>
>> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
>>
>> $dom="test.domain.cloud"
>>
>> Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated
>> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
>> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
>>
>>
>>
>> When I know try to login on the azure portal, I get successfully
>> redirected
>> to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
>> I get the following error from keycloak:
>>
>> 2017-08-22 11:49:47,735 DEBUG
>> [org.hibernate.internal.util.EntityPrinter] (default task-3)
>> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
>> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
>> sessionId=null, time=1503402587482, error=invalid_authn_request,
>> type=LOGIN_ERROR, userId=null,
detailsJson={"reason":"invalid_destination"}}
>>
>>
>>
>> The SAML AuthnRequest sent by M$ looks as follows:
>>
>> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
>> (default task-3) <samlp:AuthnRequest
>> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
>> IssueInstant="2017-08-22T11:47:46.793Z"
>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
>>
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
>>
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
>>
>>
>>
>> What we can see, is that the destination (optional?) attribute is
>> missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
>>
>>
>>
>> Why is keycloak doing some strict checking about the optional
>> destination parameter?
>>
>>
>>
>> Cheers Jonas
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:22 a.m.
Destination is mandatory for signed SAML messages in Redirect and POST
bindings [1] and optional for unsigned ones [2]. It is prevention for
replay attacks for messages whose integrity can be checked. Hence to
comply with SAML spec, we have to allow the destination to be unset
when signature is not checked.
[1] https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf,
lines 661, 843
[2] https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf,
line 1477
On Fri, Aug 25, 2017 at 3:30 PM, Bill Burke <bburke(a)redhat.com> wrote:
destination is validated to be the same URL the SAML request was
posted
to. This is a security check to protect against replay attacks.
On 8/25/17 5:53 AM, Jonas Weismueller wrote:
> Hi,
> any further information needed? I would like to get KC <-> Azure AD to
> be connected. Otherwise we are sadly being obliged to look after another
> IdP solution :(
>
> Cheers Jonas
>
> On 22.08.17 14:27, Jonas Weismueller wrote:
>> Hi,
>>
>> we configured AzureAD to use our keycloak instance, like this:
>>
>>
>>
>> $cer="$our_cert_string"
>>
>> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
>>
>> $dom="test.domain.cloud"
>>
>> Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated
>> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
>> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
>>
>>
>>
>> When I know try to login on the azure portal, I get successfully
>> redirected
>> to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
>> I get the following error from keycloak:
>>
>> 2017-08-22 11:49:47,735 DEBUG
>> [org.hibernate.internal.util.EntityPrinter] (default task-3)
>> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
>> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
>> sessionId=null, time=1503402587482, error=invalid_authn_request,
>> type=LOGIN_ERROR, userId=null,
detailsJson={"reason":"invalid_destination"}}
>>
>>
>>
>> The SAML AuthnRequest sent by M$ looks as follows:
>>
>> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
>> (default task-3) <samlp:AuthnRequest
>> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
>> IssueInstant="2017-08-22T11:47:46.793Z"
>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
>>
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
>>
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
>>
>>
>>
>> What we can see, is that the destination (optional?) attribute is
>> missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
>>
>>
>>
>> Why is keycloak doing some strict checking about the optional
>> destination parameter?
>>
>>
>>
>> Cheers Jonas
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
6:12 a.m.
Hi,
thanks a lot to every one involved to get the fix into 3.3.0.CR1.
The issue is fixed now.
Cheers Jonas
2670
days inactive
2679
days old
7 comments
3 participants
participants (3)
-
Bill Burke -
Hynek Mlnarik -
Jonas Weismueller