[keycloak-user] AssertionConsumerServiceURL Requirement in AuthnRequest
Bill Burke
bburke at redhat.com
Mon Feb 9 17:43:26 EST 2015
Ok, I'm working on it right now. I'll change it so that you can
register the asssertion consumer service url in the admin console.
https://issues.jboss.org/browse/KEYCLOAK-1034
On 2/9/2015 2:00 PM, Jacob D'Onofrio wrote:
> Here is the AuthnRequest that was generated by WebLogic.
>
> Do you still want me to create a JIRA?
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <samlp:AuthnRequest
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="http://clokpsbmw01:8080/auth/realms/dev/protocol/saml/"
> ForceAuthn="false"
> ID="_0xadc0f2f6b3f36e604d310d4209db5c31"
> IsPassive="false"
> IssueInstant="2015-02-06T17:13:31.151Z"
> Version="2.0">
> <saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://clokpsbmw01:7001/saml2</saml:Issuer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#_0xadc0f2f6b3f36e604d310d4209db5c31">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments">
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml
> samlp"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>AGcoZLrPSDr5TgULgb/AQdpGAofuP9YstgnYMryKams=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> ROJaB9lwk5LiNfZMZmWrOrZmeXSZnjZiGwb9Q/ODzSscrs49ucJLhEzjzVXmr5jbLNg5UR5Pi1H+
> N2hM/hZKEPpzxDtaR8RRzi8MYCiEwtqcbUD429txx0Sr1ZgPkhtw+KPsWAc5c17y8egzHCwe77DZ
> CXDYzMtYlMui92kZ29Jj2QdgztSzxUNwHfOVGl6KAWu3NGlzobV+jbKtw20LOxAfpIW/e9hdwNAM
> 9OCwpKdcp6bvZrZ4GZZ/LXHJQzeZZtC3avwz4NHWX/9sOyYmspAVukTfCAyXeRxsbTgYX2vZKCOj
> /a1ONd65CtgTCyE9tOzD7Ar1sWyp4FylrArABw==
> </ds:SignatureValue>
> </ds:Signature>
> </samlp:AuthnRequest>
>
> On Mon, Feb 9, 2015 at 1:10 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> Actually, I'll need some way of identifying the client making the authn
> request. Can you post the SAML request perchance?
>
> On 2/6/2015 2:42 PM, Jacob D'Onofrio wrote:
> > Hi,
> >
> > I am experimenting with using keycloak (1.1.0.Final) running on
> wildfly
> > 8.2.0.Final as an IDP for a service which is running on WebLogic
> 10.3.6.
> > When WebLogic sends the request to keycloak, I get a
> > NullPointerException like so:
> >
> > Caused by: java.lang.NullPointerException
> > at
> >
> org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:195)
> > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final]
> > at
> >
> org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:175)
> > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final]
> > at
> >
> org.keycloak.protocol.saml.SamlService$PostBindingProtocol.execute(SamlService.java:320)
> > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final]
> > at
> >
> org.keycloak.protocol.saml.SamlService.postBinding(SamlService.java:413)
> > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final]
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> > [rt.jar:1.7.0_65]
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > [rt.jar:1.7.0_65]
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > [rt.jar:1.7.0_65]
> > at java.lang.reflect.Method.invoke(Method.java:606)
> > [rt.jar:1.7.0_65]
> > at
> >
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> > [resteasy-jaxrs-3.0.10.Final.jar:]
> > at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
> > [resteasy-jaxrs-3.0.10.Final.jar:]
> > at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
> > [resteasy-jaxrs-3.0.10.Final.jar:]
> > at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
> > [resteasy-jaxrs-3.0.10.Final.jar:]
> > at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> > [resteasy-jaxrs-3.0.10.Final.jar:]
> > at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> > [resteasy-jaxrs-3.0.10.Final.jar:]
> > ... 39 more
> >
> > I truncated the stack trace a bit. Looks like the method
> loginRequest of
> > SamlService.BindingProtocol expects that the AuthNRequest token
> specify
> > a AssertionConsumerServiceURL attribute, which WebLogic is not
> setting,
> > however the SAML documentation states that the attribute is optional.
> >
> > I wanted to check here before I posted a JIRA issue if this is a
> bug, or
> > intended behavior.
> >
> > Thanks,
> > Jacob
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list