[keycloak-user] Problem using SAML IdP
Jérôme Blanchard
jayblanc at gmail.com
Tue Dec 22 11:46:38 EST 2015
Hi,
I'm trying to integrate keycloak into a the french research federation of
identity (renater) and I'm facing some problems.
Actually, when IdP respond to keycloak i'm getting the following error :
PL00084: Writer: Unsupported Attribute
Value:org.keycloak.dom.saml.v2.assertion.NameIDType
It seems that this IdP is using transient NameID policy only and using the
unspecified field in the idp config in keycloak generate this exception as
a return.
Log of the keycloak server is joined.
I have no idea of what happening because when I was using the test
federation, everything was working but no I'm in the production federation,
login fails.
The renater federation is using Shibolleth and keycloak is not supported by
federation moderators so I'm alone in the dark now...
Renater provides an IdP list that I have to parse and synchronized with IdP
in keycloak. As a return I provide a list of all endpoints for each
keycloak registered IdP to allow federation IdP to answear correctly to the
right endpoint. All of this is done by a small web app deployed aside
keycloak and using REST API to synchronize all the IdP.
One of the IdP entity descriptor is joined. As you can see, only transient
nameid policy is supported and if I configure keycloak to use email or
persistent, I received a response saying that the nameid is not supported :
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="
https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint"
Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO"
ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://demo-auth.ortolang.fr/auth/realms/ortolang</saml:Issuer><samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="
https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint"
ID="_9d03761957aade819b6823c35bbab278"
InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"><saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://janus.cnrs.fr/idp</saml2:Issuer><saml2p:Status><saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required
NameID format not
supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response>
Any help would be gracefully appreciated.
Thanks a lot, Jérôme.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/563723cb/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak.log
Type: text/x-log
Size: 28296 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/563723cb/attachment-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: entity_descriptor.xml
Type: text/xml
Size: 4718 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/563723cb/attachment-0001.xml
More information about the keycloak-user
mailing list