Hello Adam,
With "strict" set to true on the python3-saml side, it will try to validate
SAMLResponse's AudienceRestriction (if present) against SP's entityId value [1].
In its turn, Keycloak always sets AudienceRestriction to client ID, which is
"nac-lander" in your case [2] [3].
Hence, I'd suggest that you try setting SP's entityId to "nac-lander" or
turn off strict audience checking.
[1]
Cheers,
Dmitry Telegin
Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info(a)carretti.pro
On Thu, 2019-05-23 at 21:39 -0700, adam scislowicz wrote:
Summary: I am building a SAML authentication system using Keyloack as
the
IDP, and the python3-saml module to implement the SP. See configuration
outline below.
I can successfully initiate via IDP or SP. If SP I will be redirected to
the IDP. The IDP will then redirect me to the SP's ACS binding and I
observe the following logs from the IDP and SP respectively. The following
log from python3-saml sticks out
'http://10.0.0.3:9082/metadata/ is not a valid audience for this Response'
IDP LOGS
[org.keycloak.services.managers.AuthenticationSessionManager] (default
task-3) Found AUTH_SESSION_ID cookie with value
65545797-a5c8-415b-9b79-f0bdcf706743.nac-idp
[org.keycloak.services.util.CookieHelper] (default task-3) {1} cookie found
in the requests header
[org.keycloak.services.util.CookieHelper] (default task-3) {1} cookie found
in the cookies field
[org.keycloak.services.managers.AuthenticationSessionManager] (default
task-3) Found AUTH_SESSION_ID cookie with value
65545797-a5c8-415b-9b79-f0bdcf706743.nac-idp
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-3)
getUserSessionWithPredicate(65545797-a5c8-415b-9b79-f0bdcf706743): remote
cache not available
[org.keycloak.protocol.AuthorizationEndpointBase] (default task-3) Sent
request to authz endpoint. We don't have root authentication session with
ID '65545797-a5c8-415b-9b79-f0bdcf706743' but we have
userSession.Re-created root authentication session with same ID. Client is:
nac-lander . New authentication session tab ID: cfS0YI4bjUk
[org.keycloak.authentication.AuthenticationProcessor] (default task-3)
AUTHENTICATE
[org.keycloak.authentication.AuthenticationProcessor] (default task-3)
AUTHENTICATE ONLY
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
processFlow
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
check execution: auth-cookie requirement: ALTERNATIVE
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
authenticator: auth-cookie
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
invoke authenticator.authenticate: auth-cookie
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
authenticator SUCCESS: auth-cookie
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
check execution: auth-spnego requirement: DISABLED
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
execution is processed
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
check execution: identity-provider-redirector requirement: ALTERNATIVE
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
Skip alternative execution
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
check execution: null requirement: ALTERNATIVE
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
Skip alternative execution
[org.keycloak.services.managers.AuthenticationSessionManager] (default
task-3) Removing authSession '65545797-a5c8-415b-9b79-f0bdcf706743'. Expire
restart cookie: true
[org.keycloak.events] (default task-3) type=LOGIN, realmId=master,
clientId=nac-lander, userId=b615f353-672d-4b83-93ee-4f7ceddf543b,
ipAddress=10.255.0.2, auth_method=saml, redirect_uri=
http://10.0.0.3:9082/?acs, consent=no_consent_required,
code_id=65545797-a5c8-415b-9b79-f0bdcf706743, username=admin
[org.keycloak.services.managers.AuthenticationManager] (default task-3)
Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/master/,
max-age: -1
[org.keycloak.services.managers.AuthenticationManager] (default task-3)
Expiring remember me cookie
[org.keycloak.services.managers.AuthenticationManager] (default task-3)
Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/master/
SP LOGS
nacdev_nac-lander.1.qb2jndj0smik@ubuntusrv | acs
nacdev_nac-lander.1.qb2jndj0smik@ubuntusrv |
http://10.0.0.3:9082/metadata/ is
not a valid audience for this Response
...
nacdev_nac-lander.1.qb2jndj0smik@ubuntusrv | {'https': 'off',
'http_host': '
10.0.0.3:9082', 'server_port': 9082, 'script_name': '/',
'get_data':
MultiDict([('sso', '')]), 'post_data': MultiDict([])}
nacdev_nac-lander.1.qb2jndj0smik@ubuntusrv |
<onelogin.saml2.auth.OneLogin_Saml2_Auth object at 0x7f2cfa62cda0>
CONFIGURATION OUTLINE
IDP: Keycloak
Client: nac-lander
Master SML Processing URL:
http://10.0.0.3:9082/
IDP Initiated URL Name: 'nac-lander' :
http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander
Assertion Consumer Service URL:
http://10.0.0.3:9082/?acs
SP: python3-saml
{
"strict": true,
"debug": true,
"sp": {
"entityId": "http://10.0.0.3:9082/metadata/",
"assertionConsumerService": {
"url": "http://10.0.0.3:9082/?acs",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
},
"singleLogoutService": {
"url": "http://10.0.0.3:9082/?sls",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"NameIDFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"x509cert": "",
"privateKey": ""
},
"idp": {
"entityId":
"http://10.0.0.3:8080/auth/realms/master/protocol/saml/",
"singleSignOnService": {
"url": "
http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander&...;,
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"singleLogoutService": {
"url": "
http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander&...;,
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"x509cert": "<onelogin_connector_cert>"
}}
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user