[keycloak-user] Google as SAML SP and Keycloak as IDP - invalid_signature

Georgijs Radovs georgijsr at scandiweb.com
Thu Dec 15 07:44:56 EST 2016 

Hello everyone!


I'm trying to configure SSO to Google Apps, using SAML protocol and 
Keycloak as IDP and Google as SP.

Keycloak Version - 2.1.0-Final

In Keycloak, I've created a new saml client with following settings:

----------------------------------------------------------------

Client ID - google.com/a/*mydomain*.com

Enabled - On

Consent Required - Off

Include AuthnStatement - On

Sign Documents - On

Sign Assertions - On

Signature Algorithm - RSA_SHA256

Canonicalization Method - EXCLUSIVE

Encrypt Assertions - Off

Client Signature Required - On

Force POST Binding - On

Front Channel Logout - On

Force Name ID Format - Off

Name ID Format - email

Root URL - empty

Valid Redirect URIs - empty

Base URL - /auth/realms/*keycloak realm*/protocol/saml/clients/googleapps

Master SAML Processing URL - empty

IDP Initiated SSO URL Name - googleapps

IDP Initiated SSO Relay State - empty

Assertion Consumer Service POST Binding URL - empty

Assertion Consumer Service Redirect Binding URL - 
https://google.com/a/*mydomain*.com/acs

logout-service-post-binding-url - empty

Logout Service Redirect Binding URL - empty
--------------------------------------------------------------

Google SSO Settings:

--------------------------------------------------------------
"Setup SSO with third party identity provider" checkbox - enabled

Sign-in page URL - https://*keycloak fqdn*/auth/realms/*keycloak realm 
name*/protocol/saml

Sign-out page URL - https://*keycloak fqdn*/auth/realms/*keycloak realm 
name*/protocol/saml

Change password URL - empty

Verification certificate - uploaded certificate from keycloak realm, 
where Google SAML client is defined.

"Use a domain specific issuer" checkbox - enabled
---------------------------------------------------------------

The problem:

When I go to this link - https://mail.google.com/a/*mydomain*.com, to 
authenticate, I'm redirected back to Keycloak with "Invalid Requester" 
error and in Keycloak log I see this: "error=invalid_signature"

What signature is Keycloak complaining about?
What is wrong with my config?



-- 
 <https://www.youtube.com/watch?v=bs0V2F06liw>

More information about the keycloak-user mailing list