[keycloak-user] trouble acting as SP with testshib.org IdP

Thu Feb 11 11:14:37 EST 2016

Hi Steve,

I spent some time in order to integrate into Renater federation (french
research shibbolet federation) because keycloak does not handle the
discovery service that parse the WAYF...
So I have develop a small apps to parse this file and synchronize my 250
IdP into keycloak !! I also customize the template in order to build a
choice list taking info from my discovery app.
Next step for me is to fork the saml provider of keycloak to built a
dedicated shibboleth one.
You probably faced some issues about transient nameid because shibboleth
federation does not give a persistent nameId but a transient one and
because keycloak need to associate the IdP/nameId to a real keycloak
account, transient nameid result in new account for each new shibboleth IdP
session...
You have to rely on an attribute eduPersonTargetedID but this attribute is
a complex type and keycloak SAML attribute parser can't handle it
correctly. I have make a small patch also to avoid problem with that and to
ensure the mapping between this attribute and the nameID.

By the way, I'm intrested if you succeed in order to share some tips and to
enlarge knowledge base about those aspects around Shibboleth and keycloak.

Best regards, Jérôme.

Le jeu. 11 févr. 2016 à 17:04, Steve Nolen <technolengy at gmail.com> a écrit :

> Hi Jérôme!
>
> Thanks so much for the details!
>
> Perhaps the issue when uploading was actually the other issue I stumbled
> upon in this endeavor! When attempting to upload the keycloak sp metadata
> to testshib.org, I received a malformed metadata error, the testshib.org
> folks noted that the SingleLogoutService element must come before the
> NameID element (they also suggested to remove the newline&whitespace from
> NameID, which existed in my keycloak sp metadata).
>
> Once I modified those I was able to upload at least.  I suppose the
> ordering/newline issues may be a fixable issue for keycloak.
>
> As for the signing issue, I think I'll give up on using the testshib
> instance (I did try to re-upload with your authn suggestion after fixing
> the SingleLogoutService and NameID issues I mentioned above) and did
> receive an invalid metadata error.  I appreciate your help though, and I'm
> sure that integrating with a univ IdP as I intend to will be a bit easier!
>
>
> On Thu, Feb 11, 2016 at 3:20 AM Jérôme Blanchard <jayblanc at gmail.com>
> wrote:
>
>> I'm able to reproduce your bug.
>> Making authentication using debug mode a break point in
>> AssertionUtil.getAssertion() show that the IdP refuse to use unencrypted
>> response :
>>
>> StatusType [statusCode=StatusCodeType
>> [value=urn:oasis:names:tc:SAML:2.0:status:Responder, statusCode=null],
>> statusMessage=Unable to encrypt assertion, statusDetail=null]
>>
>> By the way, when I try to use the Want AuthnRequests Signed= true, I
>> can't upload the configuration to the testshib site because it considere
>> the file as not wellformed !!
>>
>> I'm sorry, but it seems that the configuration os the testshib is very
>> well coupled to shibboleth... Maybe you could try with your own instance of
>> an IdP.
>>
>> Best regards, Jérôme.
>>
>> Le mer. 10 févr. 2016 à 17:03, Steve Nolen <technolengy at gmail.com> a
>> écrit :
>>
>>> Hi Jérôme,
>>>
>>> Thanks for the help! I swapped the NameId in keycloak for this broker to
>>> unspecified (I uploaded my sp metadata to testshib.org again as well
>>> just in case) and am still receiving the same error.
>>>
>>> On Wed, Feb 10, 2016 at 1:10 AM Jérôme Blanchard <jayblanc at gmail.com>
>>> wrote:
>>>
>>>> Hi Steve,
>>>>
>>>> I'm using Keycloak as a shibboleth SP in a federation (Renater) and
>>>> It's working fine. The problem you encounter comes from the fact that you
>>>> ask for a persistent nameId in the config of your SP and, according to the
>>>> provider details, it's only able to send transient nameId.
>>>> Feel the parameter of nameId to undefined and check the authentication
>>>> again.
>>>>
>>>> Best regards, Jérôme.
>>>>
>>>> Le mer. 10 févr. 2016 à 03:57, Steve Nolen <technolengy at gmail.com> a
>>>> écrit :
>>>>
>>>>> Hi!
>>>>>
>>>>> First of all, keycloak is legitimately awesome!
>>>>>
>>>>> I was attempting to test the use of keycloak as a shibboleth SP today
>>>>> (testing against the testshib.org test IdP) and am having some
>>>>> trouble.
>>>>>
>>>>> Keycloak Version: 1.9.0CR1 (using it on openshift currently)
>>>>>
>>>>> Both sides seem to be set up as they should (I used the testshib
>>>>> endpoint to import the settings to keycloak). I'm able to take the redirect
>>>>> over to idp.testshib but on logging in I get a 500 Internal Server Error
>>>>> from keycloak.  The message is "No Assertion from response" (stack trace
>>>>> below).
>>>>>
>>>>> Any thoughts on what might be missing?
>>>>>
>>>>> ==== stack trace ====
>>>>> http://pastebin.com/3tsApUKK
>>>>>
>>>>> ==== broker details ====
>>>>>
>>>>> https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor
>>>>>
>>>>> ==== provider details ====
>>>>> https://www.testshib.org/metadata/testshib-providers.xml
>>>>>
>>>>> Thank you!
>>>>> Steve
>>>>>
>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/168882b0/attachment-0001.html 