2:57 p.m.
Hi,
I have Keycloak 3.2.1 setup to act as a SP and Okta as a SAML IDP. I am trying to
initiate login from Okta. After the initial user registration keycloak seems to fail
while validating the signature on one of the SAML Responses. The error in the browser is
invalidFederatedIdentityActionMessage and the stack trace is below.
20:53:59,161 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-18) validation
failed: org.keycloak.common.VerificationException: Invalid signature on document
at
org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:83)
at
org.keycloak.broker.saml.SAMLEndpoint$PostBinding.verifySignature(SAMLEndpoint.java:533)
at
org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:471)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:239)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:159)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
The X509 certificate is the same on both ends. Am I missing a configuration setting some
place else? Any help would be apprectated. Some googling brings up some old bugs but I
believe they are all fixed in 3.2.1.
Thanks
Drew Weirshousky
4:34 a.m.
It's hard to say. Make sure the settings of signature algorithms match in
Okta and Keycloak. If you get nowhere, a dump of SAML communication (e.g.
via SAML Tracer or similar tool) would help.
--Hynek
On Mon, Nov 13, 2017 at 9:57 PM, Drew Weirshousky <d.weirshousky(a)xsb.com>
wrote:
Hi,
I have Keycloak 3.2.1 setup to act as a SP and Okta as a SAML IDP. I am
trying to initiate login from Okta. After the initial user registration
keycloak seems to fail while validating the signature on one of the SAML
Responses. The error in the browser is invalidFederatedIdentityActionMessage
and the stack trace is below.
20:53:59,161 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
task-18) validation failed: org.keycloak.common.VerificationException:
Invalid signature on document
at org.keycloak.protocol.saml.SamlProtocolUtils.
verifyDocumentSignature(SamlProtocolUtils.java:83)
at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.
verifySignature(SAMLEndpoint.java:533)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.
handleSamlResponse(SAMLEndpoint.java:471)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
SAMLEndpoint.java:239)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
SAMLEndpoint.java:159)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
ResourceMethodInvoker.java:295)
The X509 certificate is the same on both ends. Am I missing a
configuration setting some place else? Any help would be apprectated.
Some googling brings up some old bugs but I believe they are all fixed in
3.2.1.
Thanks
Drew Weirshousky
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
2618
days inactive
2619
days old
1 comments
2 participants
participants (2)
-
Drew Weirshousky -
Hynek Mlnarik