[keycloak-user] Problem using SAML IdP
Bill Burke
bburke at redhat.com
Tue Dec 22 15:10:30 EST 2015
Our brokering doesn't support temporary user ids from the "parent" IDP.
Transient Ids in SAML or temporary ids.
On 12/22/2015 11:46 AM, Jérôme Blanchard wrote:
> Hi,
>
> I'm trying to integrate keycloak into a the french research federation
> of identity (renater) and I'm facing some problems.
> Actually, when IdP respond to keycloak i'm getting the following error :
> PL00084: Writer: Unsupported Attribute
> Value:org.keycloak.dom.saml.v2.assertion.NameIDType
>
> It seems that this IdP is using transient NameID policy only and using
> the unspecified field in the idp config in keycloak generate this
> exception as a return.
>
> Log of the keycloak server is joined.
>
> I have no idea of what happening because when I was using the test
> federation, everything was working but no I'm in the production
> federation, login fails.
>
> The renater federation is using Shibolleth and keycloak is not supported
> by federation moderators so I'm alone in the dark now...
>
> Renater provides an IdP list that I have to parse and synchronized with
> IdP in keycloak. As a return I provide a list of all endpoints for each
> keycloak registered IdP to allow federation IdP to answear correctly to
> the right endpoint. All of this is done by a small web app deployed
> aside keycloak and using REST API to synchronize all the IdP.
>
> One of the IdP entity descriptor is joined. As you can see, only
> transient nameid policy is supported and if I configure keycloak to use
> email or persistent, I received a response saying that the nameid is not
> supported :
>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
> AssertionConsumerServiceURL="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint"
> Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO"
> ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
> IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Version="2.0"><saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://demo-auth.ortolang.fr/auth/realms/ortolang</saml:Issuer><samlp:NameIDPolicy
> AllowCreate="true"
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest>
>
>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint"
> ID="_9d03761957aade819b6823c35bbab278"
> InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
> IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"><saml2:Issuer
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://janus.cnrs.fr/idp</saml2:Issuer><saml2p:Status><saml2p:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required
> NameID format not
> supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response>
>
>
> Any help would be gracefully appreciated.
>
> Thanks a lot, Jérôme.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list