Hello there,
I have the use case that I want SP initiated SAML SSO against an external IdP. After
succesful login on the external IdP I get redirected to my brokering IdP which wants to do
some Authentication flow stuff, but I would like to skip authentication against keycloak
and just redirect to my application after the assertion was successfully verified. After
some research I found that this might not be implemented yet:
http://lists.jboss.org/pipermail/keycloak-user/2017-February/009605.html
https://issues.jboss.org/browse/KEYCLOAK-4240
So alternatively I thought of just importing a new user by following the steps of :
https://www.keycloak.org/docs/latest/server_admin/index.html#automaticall...
But what happens is, that I see two requests on
http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/login-actions/...
first one as GET with code 302 and after that the browser sends a POST to
http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/after-f...
As POST-param it got the following EncryptedAssertion from my idp-broker:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_38969c7e-58a0-4bd8-9699-2e4ee913f0fc"
InResponseTo="ID_cdd51254-befe-4c11-a290-e8dc8fa3a769"
IssueInstant="2018-12-11T15:44:49.960Z"
Version="2.0"><saml:Issuer>http://localhost:8180/auth/realms/prisma-keycloak-saml-idp</saml:Issuer><dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Sig...
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsi...
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/&...
URI="#ID_38969c7e-58a0-4bd8-9699-2e4ee913f0fc"><dsig:Transforms><dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature&quo...
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds...
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><dsi...
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:EncryptedAssertion><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:Enc...
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><...
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:Encry...
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>...
As a response I get 405 Method not allowed and get redirected to a keycloak page saying
"internal server error"
Why is this happening? Are there any good alternatives to this flow for my use case?
Thank you,
Manuel