[keycloak-user] Google as SAML SP and Keycloak as IDP - invalid_signature [Solved]

Georgijs Radovs georgijsr at scandiweb.com
Thu Dec 15 11:43:51 EST 2016 

Hello again!

Problem solved.

Keycloak <-> Google SAML working.

The problem was with Sign-in URL on Google App's configuration side.

Sign-in page URL was - *https://"keycloak fqdn"/auth/realms/"keycloak 
realm name"/protocol/saml*

But, after I changed it to this:

Sign-in page URL - *https://"keycloak fqdn"/auth/realms/"keycloak realm 
name"/protocol/saml/clients/googleapps*

and made these changes:

Set *Client Signature Required* to *Off*

Set *Assertion Consumer Service POST Binding URL* to 
*https://google.com/a/"mydomain".com/acs*

Set *Assertion Consumer Service Redirect Binding URL* to *empty*

Set *Assertion Consumer Service POST Binding URL* to 
*https://www.google.com/a/"mydomain".com/acs*

It worked.

Also, if you need to for *IDP initiated SSO URL* to work, add 
*?RelayState=true* to the *Base URL*, like this:

*/auth/realms/"keycloak 
realm"/protocol/saml/clients/googleapps?RelayState=true

On 2016.12.15. 14:44, Georgijs Radovs wrote:
> Hello everyone!
>
>
> I'm trying to configure SSO to Google Apps, using SAML protocol and 
> Keycloak as IDP and Google as SP.
>
> Keycloak Version - 2.1.0-Final
>
> In Keycloak, I've created a new saml client with following settings:
>
> ----------------------------------------------------------------
>
> Client ID - google.com/a/*mydomain*.com
>
> Enabled - On
>
> Consent Required - Off
>
> Include AuthnStatement - On
>
> Sign Documents - On
>
> Sign Assertions - On
>
> Signature Algorithm - RSA_SHA256
>
> Canonicalization Method - EXCLUSIVE
>
> Encrypt Assertions - Off
>
> Client Signature Required - On
>
> Force POST Binding - On
>
> Front Channel Logout - On
>
> Force Name ID Format - Off
>
> Name ID Format - email
>
> Root URL - empty
>
> Valid Redirect URIs - empty
>
> Base URL - /auth/realms/*keycloak realm*/protocol/saml/clients/googleapps
>
> Master SAML Processing URL - empty
>
> IDP Initiated SSO URL Name - googleapps
>
> IDP Initiated SSO Relay State - empty
>
> Assertion Consumer Service POST Binding URL - empty
>
> Assertion Consumer Service Redirect Binding URL - 
> https://google.com/a/*mydomain*.com/acs
>
> logout-service-post-binding-url - empty
>
> Logout Service Redirect Binding URL - empty
> --------------------------------------------------------------
>
> Google SSO Settings:
>
> --------------------------------------------------------------
> "Setup SSO with third party identity provider" checkbox - enabled
>
> Sign-in page URL - https://*keycloak fqdn*/auth/realms/*keycloak realm 
> name*/protocol/saml
>
> Sign-out page URL - https://*keycloak fqdn*/auth/realms/*keycloak 
> realm name*/protocol/saml
>
> Change password URL - empty
>
> Verification certificate - uploaded certificate from keycloak realm, 
> where Google SAML client is defined.
>
> "Use a domain specific issuer" checkbox - enabled
> ---------------------------------------------------------------
>
> The problem:
>
> When I go to this link - https://mail.google.com/a/*mydomain*.com, to 
> authenticate, I'm redirected back to Keycloak with "Invalid Requester" 
> error and in Keycloak log I see this: "error=invalid_signature"
>
> What signature is Keycloak complaining about?
> What is wrong with my config?
>
>


-- 
 <https://www.youtube.com/watch?v=bs0V2F06liw>

More information about the keycloak-user mailing list