[keycloak-user] trouble acting as SP with testshib.org IdP

Steve Nolen technolengy at gmail.com
Thu Feb 11 11:04:20 EST 2016


Hi Jérôme!

Thanks so much for the details!

Perhaps the issue when uploading was actually the other issue I stumbled
upon in this endeavor! When attempting to upload the keycloak sp metadata
to testshib.org, I received a malformed metadata error, the testshib.org
folks noted that the SingleLogoutService element must come before the
NameID element (they also suggested to remove the newline&whitespace from
NameID, which existed in my keycloak sp metadata).

Once I modified those I was able to upload at least.  I suppose the
ordering/newline issues may be a fixable issue for keycloak.

As for the signing issue, I think I'll give up on using the testshib
instance (I did try to re-upload with your authn suggestion after fixing
the SingleLogoutService and NameID issues I mentioned above) and did
receive an invalid metadata error.  I appreciate your help though, and I'm
sure that integrating with a univ IdP as I intend to will be a bit easier!


On Thu, Feb 11, 2016 at 3:20 AM Jérôme Blanchard <jayblanc at gmail.com> wrote:

> I'm able to reproduce your bug.
> Making authentication using debug mode a break point in
> AssertionUtil.getAssertion() show that the IdP refuse to use unencrypted
> response :
>
> StatusType [statusCode=StatusCodeType
> [value=urn:oasis:names:tc:SAML:2.0:status:Responder, statusCode=null],
> statusMessage=Unable to encrypt assertion, statusDetail=null]
>
> By the way, when I try to use the Want AuthnRequests Signed= true, I can't
> upload the configuration to the testshib site because it considere the file
> as not wellformed !!
>
> I'm sorry, but it seems that the configuration os the testshib is very
> well coupled to shibboleth... Maybe you could try with your own instance of
> an IdP.
>
> Best regards, Jérôme.
>
> Le mer. 10 févr. 2016 à 17:03, Steve Nolen <technolengy at gmail.com> a
> écrit :
>
>> Hi Jérôme,
>>
>> Thanks for the help! I swapped the NameId in keycloak for this broker to
>> unspecified (I uploaded my sp metadata to testshib.org again as well
>> just in case) and am still receiving the same error.
>>
>> On Wed, Feb 10, 2016 at 1:10 AM Jérôme Blanchard <jayblanc at gmail.com>
>> wrote:
>>
>>> Hi Steve,
>>>
>>> I'm using Keycloak as a shibboleth SP in a federation (Renater) and It's
>>> working fine. The problem you encounter comes from the fact that you ask
>>> for a persistent nameId in the config of your SP and, according to the
>>> provider details, it's only able to send transient nameId.
>>> Feel the parameter of nameId to undefined and check the authentication
>>> again.
>>>
>>> Best regards, Jérôme.
>>>
>>> Le mer. 10 févr. 2016 à 03:57, Steve Nolen <technolengy at gmail.com> a
>>> écrit :
>>>
>>>> Hi!
>>>>
>>>> First of all, keycloak is legitimately awesome!
>>>>
>>>> I was attempting to test the use of keycloak as a shibboleth SP today
>>>> (testing against the testshib.org test IdP) and am having some trouble.
>>>>
>>>> Keycloak Version: 1.9.0CR1 (using it on openshift currently)
>>>>
>>>> Both sides seem to be set up as they should (I used the testshib
>>>> endpoint to import the settings to keycloak). I'm able to take the redirect
>>>> over to idp.testshib but on logging in I get a 500 Internal Server Error
>>>> from keycloak.  The message is "No Assertion from response" (stack trace
>>>> below).
>>>>
>>>> Any thoughts on what might be missing?
>>>>
>>>> ==== stack trace ====
>>>> http://pastebin.com/3tsApUKK
>>>>
>>>> ==== broker details ====
>>>>
>>>> https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor
>>>>
>>>> ==== provider details ====
>>>> https://www.testshib.org/metadata/testshib-providers.xml
>>>>
>>>> Thank you!
>>>> Steve
>>>>
>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/bd8dd90c/attachment.html 


More information about the keycloak-user mailing list