Keycloak as SP with ping federate

Sunday, 28 July 2019

I am having issues integrating keycloak with ping federate. We are using keycloak version
5.0.0. Ping federate is the idp and keycloak is the service provider. Keycloak gives me a
generic error "An internal server error has occurred”. When I dive deeper into the
logs I see this stack trace.

[0m[31m15:59:02,925 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default
task-341) Uncaught server error:  org.keycloak.broker.provider.IdentityBrokerException:
Could not process response from SAML identity provider.
                        at
org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:469)
                        at
org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:504)
                        at
org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:244)
                        at
org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:160)
                        at sun.reflect.GeneratedMethodAccessor1101.invoke(Unknown
Source)
                        ...
                        at java.lang.Thread.run(Thread.java:748)
                        Caused by: java.lang.NullPointerException

There is no line number on the above null pointer exception. I only know it is happening
in handleLoginResponse.

Here is the formatted xml from the /endpoint response in the browser":

                        <?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Version="2.0" ID="J8RPRFTJWzphQNpjsdDMOBAzanc"
IssueInstant="2019-07-28T15:47:20.101Z"
Destination="https://access-dev.myedlogics.com/auth/realms/intervent...
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                        <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        <ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                        <ds:Reference
URI="#J8RPRFTJWzphQNpjsdDMOBAzanc">
                                    <ds:Transforms>
                                                <ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature&quo...
                                                <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                    </ds:Transforms>
                                    <ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

<ds:DigestValue>nhnAGsnEubW52HlCQIQ6X9aRQvsiKt2QMxu82hqka3E=</ds:DigestValue>
                        </ds:Reference>
            </ds:SignedInfo>

<ds:SignatureValue>Z2zn8MXkhPk8iw4AXmFV/qK+UbyKQhYT5faq9yyPzF2OCS7joaboMm29/qtZhBHBrFNf0113f3jeAG6mX9RvOYOsoI9k0aLNvH42UDSZw9Iwv8AOIBxa06bqVw7VfJpxwNp4spJgvMRme61OnJd57sqF8V7CNe4X8VMm6L1DDDkvrpL1WieN8OrEjMOm7F3HtlIBTAfy3WvFn2P/Ly3ofSM4CFb9pOgyG0Ypi9KWVaCOQ0qVvaOXu97HpOY4+fp9kg/fMq3UlxJ93WTLiZ8/hXgz9x+Of6DXqY/+XjjRUPdhH2dSXwg7vpXCIc1q5JyG79uNHotLQoDhbO21Osp/QQ==</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
            <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="fCWnVphoi6J6jBnD.Ohe_UTtf1D"
IssueInstant="2019-07-28T15:47:20.158Z" Version="2.0">
            <saml:Issuer>localhost:default:entityId</saml:Issuer>
            <saml:Subject>
                        <saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
                        <saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                                    <saml:SubjectConfirmationData
Recipient="https://access-dev.myedlogics.com/auth/realms/intervent/b...
NotOnOrAfter="2019-07-28T15:52:20.162Z"/>
                        </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Conditions NotBefore="2019-07-28T15:42:20.162Z"
NotOnOrAfter="2019-07-28T15:52:20.162Z">
                        <saml:AudienceRestriction>

<saml:Audience>https://access-dev.myedlogics.com/auth/realms/intervent&...
                        </saml:AudienceRestriction>
            </saml:Conditions>
            <saml:AuthnStatement SessionIndex="fCWnVphoi6J6jBnD.Ohe_UTtf1D"
AuthnInstant="2019-07-28T15:47:20.136Z">
                        <saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
                        </saml:AuthnContext>
            </saml:AuthnStatement>
            <saml:AttributeStatement>
                        <saml:Attribute Name="email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                                    <saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">chris.stephens+1@edlogics.net</saml:AttributeValue>
                        </saml:Attribute>
            </saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

Does anyone see any obvious mistakes I am making? Is the xml invalid and messing with
keycloak?

Thanks,
Chris

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014