Hi Hynek,
The signature algorithm is set to RSA_SHA256 in okta and keycloak. I tried validating
the XML response using
https://www.samltool.com/validate_response.php and it fails with
"Signature validation failed. Reference validation failed". Which some googling
made me change Okta to use SHA1 for the Digest Algorithm. I received the same results
using SHA1. I can't seem to find a digest setting for Keycloak so I would assume
SHA256 is being used?
I've attached the data from SAML trace. These are both test servers setup to figure
out how to do this.
Thanks
Drew Weirshousky
----- Original Message -----
From: "Hynek Mlnarik" <hmlnarik(a)redhat.com>
To: "Drew Weirshousky" <d.weirshousky(a)xsb.com>
Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Tuesday, November 14, 2017 5:34:12 AM
Subject: Re: [keycloak-user] Keycloak as SAML Service Provider problem
It's hard to say. Make sure the settings of signature algorithms match in
Okta and Keycloak. If you get nowhere, a dump of SAML communication (e.g.
via SAML Tracer or similar tool) would help.
--Hynek
On Mon, Nov 13, 2017 at 9:57 PM, Drew Weirshousky <d.weirshousky(a)xsb.com>
wrote:
Hi,
I have Keycloak 3.2.1 setup to act as a SP and Okta as a SAML IDP. I am
trying to initiate login from Okta. After the initial user registration
keycloak seems to fail while validating the signature on one of the SAML
Responses. The error in the browser is invalidFederatedIdentityActionMessage
and the stack trace is below.
20:53:59,161 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
task-18) validation failed: org.keycloak.common.VerificationException:
Invalid signature on document
at org.keycloak.protocol.saml.SamlProtocolUtils.
verifyDocumentSignature(SamlProtocolUtils.java:83)
at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.
verifySignature(SAMLEndpoint.java:533)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.
handleSamlResponse(SAMLEndpoint.java:471)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
SAMLEndpoint.java:239)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
SAMLEndpoint.java:159)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
ResourceMethodInvoker.java:295)
The X509 certificate is the same on both ends. Am I missing a
configuration setting some place else? Any help would be apprectated.
Some googling brings up some old bugs but I believe they are all fixed in
3.2.1.
Thanks
Drew Weirshousky
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek