[keycloak-dev] Getting error with authentication using ecp.sh script
John Dennis
jdennis at redhat.com
Tue Jan 3 09:10:10 EST 2017
On 12/27/2016 08:52 AM, Rashmi Singh wrote:
> Hi All, Just a reminder if some insights/help could be provided on my SAML
> request and the issue I am facing.
What Rashmi failed to mention is that after submitting the SAML
AuthnRequest to Keycloak the response was a server 500 error. I asked
him to look for any backtraces that appeared in the Keycloak log after
receiving the AuthnRequest which he did and included here.
To the best of my knowledge the AuthnRequest is well formed but even if
it wasn't the response should have been a SAML Response with an error,
not a HTTP 500 status code.
What we need to figure out is why Keycloak is throwing an uncaught
exception resulting in the HTTP 500 status code.
ECP requires either basic or digest authentication on the endpoint
processing the AuthnRequest. My suspicion based on the "Failed
authentication" message at the beginning of the backtrace is either the
authentication did not occur on the endpoint or there was a failure to
record the authentication occurred and was successful, just a guess.
>
> On Fri, Dec 23, 2016 at 9:01 PM, Rashmi Singh <singhrasster at gmail.com>
> wrote:
>
>> Hi All,
>>
>> I am using ecp.sh (provided by keycloak team, ofcourse with changes on
>> idp_endpoint based on my keycloak environment) to perform authentication.
Just to clarify, ecp.sh was not provided by the keycloak team. I
provided it to Rashmi. It's a script I've used in the past to test ECP.
>> I am using spring saml SP and keycloak IDP. I enabled ecp on the SP side
>> and then I execute ecp.sh script as:
>>
>> ./ecp.sh -d rhsso http://192.168.99.100:8888/saml-sp/first.jsp newuser4
>>
>>
>> My idp_endpoint is: "http://192.168.99.100:9990/auth/realms/xxxxxxxxxx/
>> protocol/saml"
>> where xxxxxxxxxx is my realm (replaced my realm with xxxxxxxxxx for this
>> email)
>>
>> The script prompts me to enter password and then it sends an auth request
>> to keycloak IDP.
>>
>> Now, something goes wrong at the IDP.
>> I enabled saml logs on keycloak to see the incoming request and the
>> following error from the logs:
>>
>> 00:51:40,656 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-2)
>> SAML POST Binding
>> 00:51:40,656 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-2)
>> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>> AssertionConsumerServiceURL="http://192.168.99.100:8888/saml-sp/saml/SSO"
>> ForceAuthn="false" ID="a31ah57718g27gd149da6jeb08620ig" IsPassive="false"
>> IssueInstant="2016-12-24T00:51:34.799Z" ProtocolBinding="urn:oasis:
>> names:tc:SAML:2.0:bindings:PAOS" Version="2.0">
>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://
>> 192.168.99.100:8888/saml-sp/saml/metadata</saml2:Issuer>
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/
>> 2001/10/xml-exc-c14n#"/>
>> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
>> "/>
>> <ds:Reference URI="#a31ah57718g27gd149da6jeb08620ig">
>> <ds:Transforms>
>> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
>> signature"/>
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>nfLQ9IFs9IFnSgw3HHHKuPkAbRY=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>iULSwpjBb38Vmtan4ZIocRx4PNr6fHRuhVbL+
>> 7yXNz3wqjlSavtk7haUiADwUS2cTofRM5KDzUvIkaQPXBZqEkz2xnrhpNj71
>> eIqJ6H4ZqW3mpvP8Bk9z3VEmcEQhZSd6j8rMf4JOdIBRtE7cea0wJhuQ1Uds
>> HdcKeIdp+wuRvn8t9vS/mPKd9GAt11JpC+bgMQS0MDy+r1+AZof2+
>> XMyMuwECVIkouTzwlgKDEmgvQh6Aq61f+QzIeeZ9+3efwJyIH61x7J4CaiSTpesezlXx8UQ
>> nqIL+AToL1OFHSp2bgXXxkP1rHSkyNM34Eg92LmI5cN3oBfQDR8r+mCoEctWA==</
>> ds:SignatureValue>
>> <ds:KeyInfo>
>> <ds:X509Data>
>> <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBg
>> kqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYT
>> ERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeT
>> EMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyOD
>> AxWhcNMjIxMjMwMTEyODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVX
>> VzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2
>> FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wggEiMA0GCS
>> qGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrD
>> tUt00E5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/
>> yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/
>> rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7KqxpHx6No83WNZj4B
>> 3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/
>> KSaal3R26pONUUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/
>> R93vBA6lnl5nTctZIRsyg0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQ
>> wAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL82IvnKouGixGq
>> AcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGO
>> M6A8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/
>> dgixKb1Rvby/tBuRogWgPONNSACiW+Z5o8UdAOqNMZQozD/
>> i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEWbHwSoBy5hLPNALaE
>> Uoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/
>> GuHE=</ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo>
>> </ds:Signature>
>> </saml2p:AuthnRequest>
>>
>> 00:51:41,265 DEBUG [org.keycloak.saml.common] (default task-2) The
>> provider ApacheXMLDSig - 2.05 was added at position: 2
>> 00:51:41,545 WARN [org.keycloak.services] (default task-2)
>> KC-SERVICES0013: Failed authentication: org.keycloak.authentication.
>> AuthenticationFlowException
>> at org.keycloak.authentication.DefaultAuthenticationFlow.
>> processResult(DefaultAuthenticationFlow.java:242)
>> at org.keycloak.authentication.DefaultAuthenticationFlow.
>> processFlow(DefaultAuthenticationFlow.java:185)
>> at org.keycloak.authentication.AuthenticationProcessor.
>> authenticateOnly(AuthenticationProcessor.java:792)
>> at org.keycloak.protocol.AuthorizationEndpointBase.
>> handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:100)
>> at org.keycloak.protocol.saml.SamlService.
>> newBrowserAuthentication(SamlService.java:505)
>> at org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService.
>> newBrowserAuthentication(SamlEcpProfileService.java:89)
>> at org.keycloak.protocol.saml.SamlService.
>> newBrowserAuthentication(SamlService.java:501)
>> at org.keycloak.protocol.saml.SamlService$BindingProtocol.
>> loginRequest(SamlService.java:297)
>> at org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService$1.
>> loginRequest(SamlEcpProfileService.java:72)
>> at org.keycloak.protocol.saml.SamlService$BindingProtocol.
>> handleSamlRequest(SamlService.java:209)
>> at org.keycloak.protocol.saml.SamlService$
>> PostBindingProtocol.execute(SamlService.java:453)
>> at org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService.
>> authenticate(SamlEcpProfileService.java:74)
>> at org.keycloak.protocol.saml.SamlService.soapBinding(
>> SamlService.java:619)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>> MethodInjectorImpl.java:139)
>> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
>> ResourceMethodInvoker.java:295)
>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
>> ResourceMethodInvoker.java:249)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.
>> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>> ResourceLocatorInvoker.java:101)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> SynchronousDispatcher.java:395)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> SynchronousDispatcher.java:202)
>> at org.jboss.resteasy.plugins.server.servlet.
>> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>> at org.jboss.resteasy.plugins.server.servlet.
>> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> at org.jboss.resteasy.plugins.server.servlet.
>> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(
>> ServletHandler.java:85)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>> doFilter(FilterHandler.java:129)
>> at org.keycloak.services.filters.KeycloakSessionServletFilter.
>> doFilter(KeycloakSessionServletFilter.java:90)
>> at io.undertow.servlet.core.ManagedFilter.doFilter(
>> ManagedFilter.java:60)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>> doFilter(FilterHandler.java:131)
>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(
>> FilterHandler.java:84)
>> at io.undertow.servlet.handlers.security.
>> ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
>> java:62)
>> at io.undertow.servlet.handlers.ServletDispatchingHandler.
>> handleRequest(ServletDispatchingHandler.java:36)
>> at org.wildfly.extension.undertow.security.
>> SecurityContextAssociationHandler.handleRequest(
>> SecurityContextAssociationHandler.java:78)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at io.undertow.servlet.handlers.security.
>> SSLInformationAssociationHandler.handleRequest(
>> SSLInformationAssociationHandler.java:131)
>> at io.undertow.servlet.handlers.security.
>> ServletAuthenticationCallHandler.handleRequest(
>> ServletAuthenticationCallHandler.java:57)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>> at io.undertow.servlet.handlers.security.
>> ServletConfidentialityConstraintHandler.handleRequest(
>> ServletConfidentialityConstraintHandler.java:64)
>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at io.undertow.servlet.handlers.security.
>> CachedAuthenticatedSessionHandler.handleRequest(
>> CachedAuthenticatedSessionHandler.java:77)
>> at io.undertow.security.handlers.NotificationReceiverHandler.
>> handleRequest(NotificationReceiverHandler.java:50)
>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssocia
>> tionHandler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at org.wildfly.extension.undertow.security.jacc.
>> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at io.undertow.servlet.handlers.ServletInitialHandler.
>> handleFirstRequest(ServletInitialHandler.java:284)
>> at io.undertow.servlet.handlers.ServletInitialHandler.
>> dispatchRequest(ServletInitialHandler.java:263)
>> at io.undertow.servlet.handlers.ServletInitialHandler.access$
>> 000(ServletInitialHandler.java:81)
>> at io.undertow.servlet.handlers.ServletInitialHandler$1.
>> handleRequest(ServletInitialHandler.java:174)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>> java:202)
>> at io.undertow.server.HttpServerExchange$1.run(
>> HttpServerExchange.java:793)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(
>> ThreadPoolExecutor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>> ThreadPoolExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> 00:51:41,548 WARN [org.keycloak.events] (default task-2)
>> type=LOGIN_ERROR, realmId=O4ZR9N2V6U, clientId=http://192.168.99.
>> 100:8888/saml-sp/saml/metadata, userId=null, ipAddress=192.168.99.1,
>> error=in
>> valid_user_credentials, auth_method=saml, redirect_uri=http://192.168.
>> 99.100:8888/saml-sp/saml/SSO, code_id=fa04e6ff-3767-419c-a5bf-7bc2c94e8300
>>
>>
>> I am a bit lost here on what is wrong. Does this request I pasted above
>> look correct? If not, let me know what is wrong/missing there. Also, my
>> understanding is that I don't need to enable anything on keycloak for this.
>> I was earlier able to do browser based authentication using this same saml
>> SP, IDP and the user. Then, I enabled ECP on SP to test authentication
>> using ecp.sh script but I encountered the above error and output. I would
>> appreciate any help or pointers on this.
>>
>>
>>
>>
>>
>>
>>
>>
>> Also, for reference, this is the SP response (I printed the $sp_resp
>> variable in ecp.sh):
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
>> <soap11:Header>
>> <paos:Request xmlns:paos="urn:liberty:paos:2003-08" responseConsumerURL="
>> http://192.168.99.100:8888/saml-sp/saml/SSO" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
>> soap11:actor="http://schemas.xmlsoap.org/soap/actor/next"
>> soap11:mustUnderstand="1"/>
>> <ecp:Request xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
>> IsPassive="false" soap11:actor="http://schemas.xmlsoap.org/soap/actor/next"
>> soap11:mustUnderstand="1">
>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://
>> 192.168.99.100:8888/saml-sp/saml/metadata</saml2:Issuer>
>> </ecp:Request>
>> </soap11:Header>
>> <soap11:Body>
>> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>> AssertionConsumerServiceURL="http://192.168.99.100:8888/saml-sp/saml/SSO"
>> ForceAuthn="false" ID="a1bj9ed5f38c4c1f1331hifbg36363" IsPassive="false"
>> IssueInstant="2016-12-24T01:14:48.538Z" ProtocolBinding="urn:oasis:
>> names:tc:SAML:2.0:bindings:PAOS" Version="2.0">
>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://
>> 192.168.99.100:8888/saml-sp/saml/metadata</saml2:Issuer>
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/
>> 2001/10/xml-exc-c14n#"/>
>> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
>> "/>
>> <ds:Reference URI="#a1bj9ed5f38c4c1f1331hifbg36363">
>> <ds:Transforms>
>> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
>> signature"/>
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>sOgymsP3qFQ4QQFiGP7oUjtutUw=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>ZGxJgqOcGe2XarIF1JtfjikRmpsIjglB4mKeYdfUbwUavtH25XgZ/
>> YmgTDFlCYbq2piAM0NvibcyPtXjgX26zATtWJg3URqHpqWclccql8I5arrVf
>> kHTKUQxIx0Rk9bxxytsS012SptubO9F4a+b4LAWoaE9L4IymGVtLpZRLYRL2rhhj
>> wIehT/hSXTWWNRWrLWYb03klaCp/1hZIEUIUW1nyeveyWfaeN1LF7BJ63y
>> MdWOrtUEaF388chUcg1dpFB7HeYq1Q5GCYyEsFk3yi1CEcZ/
>> qeXyfbHAwixFOG0pPNyeunn6QDZzFD8sSVepXzuFLb8MuuthNYSb0hVLrwQ=
>> =</ds:SignatureValue>
>> <ds:KeyInfo>
>> <ds:X509Data>
>> <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBg
>> kqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
>> CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
>> MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
>> ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
>> GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
>> ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
>> 5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
>> F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
>> qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
>> UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
>> 0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
>> 82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
>> 8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
>> RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
>> bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+
>> Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo>
>> </ds:Signature>
>> </saml2p:AuthnRequest>
>> </soap11:Body>
>> </soap11:Envelope>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
John
More information about the keycloak-dev
mailing list