On May 16, 2018, at 04:00, Luis Rodríguez Fernández <uo67113(a)gmail.com&gt; wrote: Hello David, Me, in your <samlp:Response> I am missing a couple of attributes: Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ID_99d1aa37-7ed7-4565-90b4-19ed50d38489" Probably "consent" one is not causing the issue, but "inresponseto" contains the id of the AuthRequest sent by keycloak, and maybe keycloak wants to verify it. My setup is keycloak SP and ADFS2 IdP (very similar to yours BTW). You can have a look here to one of the ADFS2 responses: https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a <https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a> Hope it helps, Luis 2018-05-16 3:06 GMT+02:00 Lynxlogic <info(a)lynxlogic.com <mailto:info@lynxlogic.com>>: > I’m trying to setup SAML SSO between Azure AD and Keycloak. On the > redirect back after auth, Keycloak is failing to process the response and > generates an internal server error: > > 00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-5) Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: > Could not process response from SAML identity provider. > at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse( > SAMLEndpoint.java:444) > at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse( > SAMLEndpoint.java:479) > at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute( > SAMLEndpoint.java:237) > at org.keycloak.broker.saml.SAMLEndpoint.postBinding( > SAMLEndpoint.java:157) > . > . > . > Caused by: java.lang.NullPointerException > at java.util.regex.Matcher.getTextLength(Matcher.java:1283) > at java.util.regex.Matcher.reset(Matcher.java:309) > at java.util.regex.Matcher.<init>(Matcher.java:229) > at java.util.regex.Pattern.matcher(Pattern.java:1093) > at java.util.regex.Pattern.split(Pattern.java:1206) > at org.keycloak.broker.provider.util.IdentityBrokerState. > encoded(IdentityBrokerState.java:41) > at org.keycloak.services.resources.IdentityBrokerService. > parseEncodedSessionCode(IdentityBrokerService.java:980) > at org.keycloak.services.resources.IdentityBrokerService.authenticated( > IdentityBrokerService.java:490) > at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse( > SAMLEndpoint.java:440) > ... 63 more > > I’ve posted the SAML response at https://gist.github.com/dieseldjango/ > 72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/ <https://gist.github.com/dieseldjango/> > 72057b7df68dbe3dc289ec8e3f5826bf>. > > The stack trace indicates it’s failing at IdentityBrokerService.parseEncodedSessionCode(). > I’ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone point > me in the right direction to solve this? > > Thanks, > David > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>

On May 17, 2018, at 03:49, Luis Rodríguez Fernández <uo67113(a)gmail.com&gt; wrote: Hello David, May I ask you to share your logout request, please? Me I am using https://www.keycloak.org/docs/latest/securing_apps/ index.html#logout-2 and Microsoft ADFS2 does not complain about the request, You can have a look at the SAMLRequest param here [1]. The full request looks like this: GET https://login.cern.ch/adfs/ls/?SAMLRequest=...&RelayState= logout&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04% 2Fxmldsig-more%23rsa-sha256&Signature=... HTTP/1.1 Host: login.cern.ch User-Agent:... Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Cookie: MSISAuth=... Connection: keep-alive Upgrade-Insecure-Requests: 1 Hope it helps, Luis ps: thank you sooooo much because your post help me a lot! I thought that for bein able of using [1] I needed to have keycloak server, register the SP, etc... But it turns out that Keycloack SAML Client Adapter Core makes all the magic, thanks Keycloak team! pps: for weblogic I needed to implement myself the SLO [2] :( [1] https://gist.github.com/lurodrig/a4aeba70d89dd123ce1d6f49cd45fc0f [2] https://github.com/cerndb/wls-cern-sso/tree/master/saml2slo/ 2018-05-16 14:12 GMT+02:00 Lynxlogic <info(a)lynxlogic.com&gt;: > Thanks for the info Luis. I was getting this error when using Azure’s > ‘Test SAML Settings’ tool. Apparently when testing that way the attributes > you mentioned are omitted from the SAML response. If I follow a normal > login flow it works. > > However, I’m unable to get single sign out to work. If I turn on > backchannel logout, then when I sign out from keycloak I’m not signed out > from Azure. If I turn this off, keycloak sends a SAML request on logout, > but Azure complaints that it is invalid. Azure’s documentation says that > the sign out URL should be configured as, 'https://login. > microsoftonline.com/common/wsfederation?wa=wsignout1.0’. If I hit this > URL manually I do get signed out of Azure, but if I specify that URL as the > ‘Single Logout Service URL’ in the identity provider setup, Keycloak seems > to ignore it. The behavior is the same with or without that setting - > Keycloak does not redirect to that URL. > > David > >> On May 16, 2018, at 04:00, Luis Rodríguez Fernández <uo67113(a)gmail.com&gt; > wrote: >> >> Hello David, >> >> Me, in your <samlp:Response> I am missing a couple of attributes: >> >> Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" >> InResponseTo="ID_99d1aa37-7ed7-4565-90b4-19ed50d38489" >> >> Probably "consent" one is not causing the issue, but "inresponseto" >> contains the id of the AuthRequest sent by keycloak, and maybe keycloak >> wants to verify it. My setup is keycloak SP and ADFS2 IdP (very similar > to >> yours BTW). You can have a look here to one of the ADFS2 responses: >> https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a < > https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a> >> >> Hope it helps, >> >> Luis >> >> 2018-05-16 3:06 GMT+02:00 Lynxlogic <info(a)lynxlogic.com <mailto: > info(a)lynxlogic.com&gt;&gt;: >> >>> I’m trying to setup SAML SSO between Azure AD and Keycloak. On the >>> redirect back after auth, Keycloak is failing to process the response > and >>> generates an internal server error: >>> >>> 00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler] >>> (default task-5) Uncaught server error: org.keycloak.broker.provider. > IdentityBrokerException: >>> Could not process response from SAML identity provider. >>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse( >>> SAMLEndpoint.java:444) >>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse( >>> SAMLEndpoint.java:479) >>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute( >>> SAMLEndpoint.java:237) >>> at org.keycloak.broker.saml.SAMLEndpoint.postBinding( >>> SAMLEndpoint.java:157) >>> . >>> . >>> . >>> Caused by: java.lang.NullPointerException >>> at java.util.regex.Matcher.getTextLength(Matcher.java:1283) >>> at java.util.regex.Matcher.reset(Matcher.java:309) >>> at java.util.regex.Matcher.<init>(Matcher.java:229) >>> at java.util.regex.Pattern.matcher(Pattern.java:1093) >>> at java.util.regex.Pattern.split(Pattern.java:1206) >>> at org.keycloak.broker.provider.util.IdentityBrokerState. >>> encoded(IdentityBrokerState.java:41) >>> at org.keycloak.services.resources.IdentityBrokerService. >>> parseEncodedSessionCode(IdentityBrokerService.java:980) >>> at org.keycloak.services.resources.IdentityBrokerService.authenticated( >>> IdentityBrokerService.java:490) >>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse( >>> SAMLEndpoint.java:440) >>> ... 63 more >>> >>> I’ve posted the SAML response at https://gist.github.com/dieseldjango/ >>> 72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/ > <https://gist.github.com/dieseldjango/> >>> 72057b7df68dbe3dc289ec8e3f5826bf>. >>> >>> The stack trace indicates it’s failing at IdentityBrokerService. > parseEncodedSessionCode(). >>> I’ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone > point >>> me in the right direction to solve this? >>> >>> Thanks, >>> David >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user < > https://lists.jboss.org/mailman/listinfo/keycloak-user> >> >> >> >> >> -- >> >> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." >> >> - Samuel Beckett >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/keycloak-user < > https://lists.jboss.org/mailman/listinfo/keycloak-user> > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user