[keycloak-user] trouble acting as SP with testshib.org IdP

Jérôme Blanchard jayblanc at gmail.com
Thu Feb 11 06:19:53 EST 2016


I'm able to reproduce your bug.
Making authentication using debug mode a break point in
AssertionUtil.getAssertion() show that the IdP refuse to use unencrypted
response :

StatusType [statusCode=StatusCodeType
[value=urn:oasis:names:tc:SAML:2.0:status:Responder, statusCode=null],
statusMessage=Unable to encrypt assertion, statusDetail=null]

By the way, when I try to use the Want AuthnRequests Signed= true, I can't
upload the configuration to the testshib site because it considere the file
as not wellformed !!

I'm sorry, but it seems that the configuration os the testshib is very well
coupled to shibboleth... Maybe you could try with your own instance of an
IdP.

Best regards, Jérôme.

Le mer. 10 févr. 2016 à 17:03, Steve Nolen <technolengy at gmail.com> a écrit :

> Hi Jérôme,
>
> Thanks for the help! I swapped the NameId in keycloak for this broker to
> unspecified (I uploaded my sp metadata to testshib.org again as well just
> in case) and am still receiving the same error.
>
> On Wed, Feb 10, 2016 at 1:10 AM Jérôme Blanchard <jayblanc at gmail.com>
> wrote:
>
>> Hi Steve,
>>
>> I'm using Keycloak as a shibboleth SP in a federation (Renater) and It's
>> working fine. The problem you encounter comes from the fact that you ask
>> for a persistent nameId in the config of your SP and, according to the
>> provider details, it's only able to send transient nameId.
>> Feel the parameter of nameId to undefined and check the authentication
>> again.
>>
>> Best regards, Jérôme.
>>
>> Le mer. 10 févr. 2016 à 03:57, Steve Nolen <technolengy at gmail.com> a
>> écrit :
>>
>>> Hi!
>>>
>>> First of all, keycloak is legitimately awesome!
>>>
>>> I was attempting to test the use of keycloak as a shibboleth SP today
>>> (testing against the testshib.org test IdP) and am having some trouble.
>>>
>>> Keycloak Version: 1.9.0CR1 (using it on openshift currently)
>>>
>>> Both sides seem to be set up as they should (I used the testshib
>>> endpoint to import the settings to keycloak). I'm able to take the redirect
>>> over to idp.testshib but on logging in I get a 500 Internal Server Error
>>> from keycloak.  The message is "No Assertion from response" (stack trace
>>> below).
>>>
>>> Any thoughts on what might be missing?
>>>
>>> ==== stack trace ====
>>> http://pastebin.com/3tsApUKK
>>>
>>> ==== broker details ====
>>>
>>> https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor
>>>
>>> ==== provider details ====
>>> https://www.testshib.org/metadata/testshib-providers.xml
>>>
>>> Thank you!
>>> Steve
>>>
>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/eea1c3ae/attachment.html 


More information about the keycloak-user mailing list