[keycloak-dev] Getting error with authentication using ecp.sh script

Rashmi Singh singhrasster at gmail.com
Tue Dec 27 08:52:19 EST 2016 

Hi All, Just a reminder if some insights/help could be provided on my SAML
request and the issue I am facing.

On Fri, Dec 23, 2016 at 9:01 PM, Rashmi Singh <singhrasster at gmail.com>
wrote:

> Hi All,
>
> I am using ecp.sh (provided by keycloak team, ofcourse with changes on
> idp_endpoint based on my keycloak environment) to perform authentication.
>
> I am using spring saml SP and keycloak IDP. I enabled ecp on the SP side
> and then I execute ecp.sh script as:
>
> ./ecp.sh -d rhsso http://192.168.99.100:8888/saml-sp/first.jsp newuser4
>
>
> My idp_endpoint is: "http://192.168.99.100:9990/auth/realms/xxxxxxxxxx/
> protocol/saml"
> where xxxxxxxxxx is my realm (replaced my realm with xxxxxxxxxx for this
> email)
>
> The script prompts me to enter password and then it sends an auth request
> to keycloak IDP.
>
> Now, something goes wrong at the IDP.
> I enabled saml logs on keycloak to see the incoming request and the
> following error from the logs:
>
> 00:51:40,656 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-2)
> SAML POST Binding
> 00:51:40,656 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-2)
> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> AssertionConsumerServiceURL="http://192.168.99.100:8888/saml-sp/saml/SSO"
> ForceAuthn="false" ID="a31ah57718g27gd149da6jeb08620ig" IsPassive="false"
> IssueInstant="2016-12-24T00:51:34.799Z" ProtocolBinding="urn:oasis:
> names:tc:SAML:2.0:bindings:PAOS" Version="2.0">
> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://
> 192.168.99.100:8888/saml-sp/saml/metadata</saml2:Issuer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
> "/>
> <ds:Reference URI="#a31ah57718g27gd149da6jeb08620ig">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
> signature"/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>nfLQ9IFs9IFnSgw3HHHKuPkAbRY=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>iULSwpjBb38Vmtan4ZIocRx4PNr6fHRuhVbL+
> 7yXNz3wqjlSavtk7haUiADwUS2cTofRM5KDzUvIkaQPXBZqEkz2xnrhpNj71
> eIqJ6H4ZqW3mpvP8Bk9z3VEmcEQhZSd6j8rMf4JOdIBRtE7cea0wJhuQ1Uds
> HdcKeIdp+wuRvn8t9vS/mPKd9GAt11JpC+bgMQS0MDy+r1+AZof2+
> XMyMuwECVIkouTzwlgKDEmgvQh6Aq61f+QzIeeZ9+3efwJyIH61x7J4CaiSTpesezlXx8UQ
> nqIL+AToL1OFHSp2bgXXxkP1rHSkyNM34Eg92LmI5cN3oBfQDR8r+mCoEctWA==</
> ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBg
> kqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYT
> ERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeT
> EMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyOD
> AxWhcNMjIxMjMwMTEyODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVX
> VzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2
> FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wggEiMA0GCS
> qGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrD
> tUt00E5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/
> yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/
> rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7KqxpHx6No83WNZj4B
> 3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/
> KSaal3R26pONUUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/
> R93vBA6lnl5nTctZIRsyg0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQ
> wAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL82IvnKouGixGq
> AcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGO
> M6A8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/
> dgixKb1Rvby/tBuRogWgPONNSACiW+Z5o8UdAOqNMZQozD/
> i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEWbHwSoBy5hLPNALaE
> Uoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/
> GuHE=</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
> </saml2p:AuthnRequest>
>
> 00:51:41,265 DEBUG [org.keycloak.saml.common] (default task-2) The
> provider ApacheXMLDSig - 2.05 was added at position: 2
> 00:51:41,545 WARN  [org.keycloak.services] (default task-2)
> KC-SERVICES0013: Failed authentication: org.keycloak.authentication.
> AuthenticationFlowException
>         at org.keycloak.authentication.DefaultAuthenticationFlow.
> processResult(DefaultAuthenticationFlow.java:242)
>         at org.keycloak.authentication.DefaultAuthenticationFlow.
> processFlow(DefaultAuthenticationFlow.java:185)
>         at org.keycloak.authentication.AuthenticationProcessor.
> authenticateOnly(AuthenticationProcessor.java:792)
>         at org.keycloak.protocol.AuthorizationEndpointBase.
> handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:100)
>         at org.keycloak.protocol.saml.SamlService.
> newBrowserAuthentication(SamlService.java:505)
>         at org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService.
> newBrowserAuthentication(SamlEcpProfileService.java:89)
>         at org.keycloak.protocol.saml.SamlService.
> newBrowserAuthentication(SamlService.java:501)
>         at org.keycloak.protocol.saml.SamlService$BindingProtocol.
> loginRequest(SamlService.java:297)
>         at org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService$1.
> loginRequest(SamlEcpProfileService.java:72)
>         at org.keycloak.protocol.saml.SamlService$BindingProtocol.
> handleSamlRequest(SamlService.java:209)
>         at org.keycloak.protocol.saml.SamlService$
> PostBindingProtocol.execute(SamlService.java:453)
>         at org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService.
> authenticate(SamlEcpProfileService.java:74)
>         at org.keycloak.protocol.saml.SamlService.soapBinding(
> SamlService.java:619)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> ResourceMethodInvoker.java:249)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:101)
>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:395)
>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:202)
>         at org.jboss.resteasy.plugins.server.servlet.
> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>         at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>         at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>         at io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:129)
>         at org.keycloak.services.filters.KeycloakSessionServletFilter.
> doFilter(KeycloakSessionServletFilter.java:90)
>         at io.undertow.servlet.core.ManagedFilter.doFilter(
> ManagedFilter.java:60)
>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>         at io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
>         at io.undertow.servlet.handlers.security.
> ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
> java:62)
>         at io.undertow.servlet.handlers.ServletDispatchingHandler.
> handleRequest(ServletDispatchingHandler.java:36)
>         at org.wildfly.extension.undertow.security.
> SecurityContextAssociationHandler.handleRequest(
> SecurityContextAssociationHandler.java:78)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at io.undertow.servlet.handlers.security.
> SSLInformationAssociationHandler.handleRequest(
> SSLInformationAssociationHandler.java:131)
>         at io.undertow.servlet.handlers.security.
> ServletAuthenticationCallHandler.handleRequest(
> ServletAuthenticationCallHandler.java:57)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
>         at io.undertow.servlet.handlers.security.
> ServletConfidentialityConstraintHandler.handleRequest(
> ServletConfidentialityConstraintHandler.java:64)
>         at io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>         at io.undertow.servlet.handlers.security.
> CachedAuthenticatedSessionHandler.handleRequest(
> CachedAuthenticatedSessionHandler.java:77)
>         at io.undertow.security.handlers.NotificationReceiverHandler.
> handleRequest(NotificationReceiverHandler.java:50)
>         at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssocia
> tionHandler.java:43)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at org.wildfly.extension.undertow.security.jacc.
> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at io.undertow.servlet.handlers.ServletInitialHandler.
> handleFirstRequest(ServletInitialHandler.java:284)
>         at io.undertow.servlet.handlers.ServletInitialHandler.
> dispatchRequest(ServletInitialHandler.java:263)
>         at io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
>         at io.undertow.servlet.handlers.ServletInitialHandler$1.
> handleRequest(ServletInitialHandler.java:174)
>         at io.undertow.server.Connectors.executeRootHandler(Connectors.
> java:202)
>         at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:793)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
>         at java.lang.Thread.run(Thread.java:745)
>
> 00:51:41,548 WARN  [org.keycloak.events] (default task-2)
> type=LOGIN_ERROR, realmId=O4ZR9N2V6U, clientId=http://192.168.99.
> 100:8888/saml-sp/saml/metadata, userId=null, ipAddress=192.168.99.1,
> error=in
> valid_user_credentials, auth_method=saml, redirect_uri=http://192.168.
> 99.100:8888/saml-sp/saml/SSO, code_id=fa04e6ff-3767-419c-a5bf-7bc2c94e8300
>
>
> I am a bit lost here on what is wrong. Does this request I pasted above
> look correct? If not, let me know what is wrong/missing there. Also, my
> understanding is that I don't need to enable anything on keycloak for this.
> I was earlier able to do browser based authentication using this same saml
> SP, IDP and the user. Then, I enabled ECP on SP to test authentication
> using ecp.sh script but I encountered the above error and output. I would
> appreciate any help or pointers on this.
>
>
>
>
>
>
>
>
> Also, for reference, this is the SP response (I printed the $sp_resp
> variable in ecp.sh):
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
> <soap11:Header>
> <paos:Request xmlns:paos="urn:liberty:paos:2003-08" responseConsumerURL="
> http://192.168.99.100:8888/saml-sp/saml/SSO" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
> soap11:actor="http://schemas.xmlsoap.org/soap/actor/next"
> soap11:mustUnderstand="1"/>
> <ecp:Request xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
> IsPassive="false" soap11:actor="http://schemas.xmlsoap.org/soap/actor/next"
> soap11:mustUnderstand="1">
> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://
> 192.168.99.100:8888/saml-sp/saml/metadata</saml2:Issuer>
> </ecp:Request>
> </soap11:Header>
> <soap11:Body>
> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> AssertionConsumerServiceURL="http://192.168.99.100:8888/saml-sp/saml/SSO"
> ForceAuthn="false" ID="a1bj9ed5f38c4c1f1331hifbg36363" IsPassive="false"
> IssueInstant="2016-12-24T01:14:48.538Z" ProtocolBinding="urn:oasis:
> names:tc:SAML:2.0:bindings:PAOS" Version="2.0">
> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://
> 192.168.99.100:8888/saml-sp/saml/metadata</saml2:Issuer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
> "/>
> <ds:Reference URI="#a1bj9ed5f38c4c1f1331hifbg36363">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
> signature"/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>sOgymsP3qFQ4QQFiGP7oUjtutUw=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>ZGxJgqOcGe2XarIF1JtfjikRmpsIjglB4mKeYdfUbwUavtH25XgZ/
> YmgTDFlCYbq2piAM0NvibcyPtXjgX26zATtWJg3URqHpqWclccql8I5arrVf
> kHTKUQxIx0Rk9bxxytsS012SptubO9F4a+b4LAWoaE9L4IymGVtLpZRLYRL2rhhj
> wIehT/hSXTWWNRWrLWYb03klaCp/1hZIEUIUW1nyeveyWfaeN1LF7BJ63y
> MdWOrtUEaF388chUcg1dpFB7HeYq1Q5GCYyEsFk3yi1CEcZ/
> qeXyfbHAwixFOG0pPNyeunn6QDZzFD8sSVepXzuFLb8MuuthNYSb0hVLrwQ=
> =</ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBg
> kqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
> CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
> MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
> ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
> GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
> ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
> 5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
> F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
> qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
> UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
> 0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
> 82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
> 8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
> RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
> bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+
> Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
> </saml2p:AuthnRequest>
> </soap11:Body>
> </soap11:Envelope>
>

More information about the keycloak-dev mailing list