[keycloak-user] trouble acting as SP with testshib.org IdP
Bill Burke
bburke at redhat.com
Thu Feb 11 11:57:02 EST 2016
Just create a detailed jira on how we can make this easier.
On 2/11/2016 11:21 AM, Steve Nolen wrote:
> Sounds like you've got quite some experience with this!! I would
> certainly be happy to share any steps/procedure I use when I'm
> successful!
>
> > Next step for me is to fork the saml provider of keycloak to built a dedicated shibboleth one.
> This is good news as well. I've noticed that a very large percentage
> of people creating SPs for shibboleth tend to use the standard
> shibd/apache setup so as to avoid touching shibboleth as much as
> possible. It would be fantastic to be able use keycloak in place of
> that where possible!
>
> On Thu, Feb 11, 2016 at 8:14 AM Jérôme Blanchard <jayblanc at gmail.com
> <mailto:jayblanc at gmail.com>> wrote:
>
> Hi Steve,
>
> I spent some time in order to integrate into Renater federation
> (french research shibbolet federation) because keycloak does not
> handle the discovery service that parse the WAYF...
> So I have develop a small apps to parse this file and synchronize
> my 250 IdP into keycloak !! I also customize the template in order
> to build a choice list taking info from my discovery app.
> Next step for me is to fork the saml provider of keycloak to built
> a dedicated shibboleth one.
> You probably faced some issues about transient nameid because
> shibboleth federation does not give a persistent nameId but a
> transient one and because keycloak need to associate the
> IdP/nameId to a real keycloak account, transient nameid result in
> new account for each new shibboleth IdP session...
> You have to rely on an attribute eduPersonTargetedID but this
> attribute is a complex type and keycloak SAML attribute parser
> can't handle it correctly. I have make a small patch also to avoid
> problem with that and to ensure the mapping between this attribute
> and the nameID.
>
> By the way, I'm intrested if you succeed in order to share some
> tips and to enlarge knowledge base about those aspects around
> Shibboleth and keycloak.
>
> Best regards, Jérôme.
>
> Le jeu. 11 févr. 2016 à 17:04, Steve Nolen <technolengy at gmail.com
> <mailto:technolengy at gmail.com>> a écrit :
>
> Hi Jérôme!
>
> Thanks so much for the details!
>
> Perhaps the issue when uploading was actually the other issue
> I stumbled upon in this endeavor! When attempting to upload
> the keycloak sp metadata to testshib.org
> <http://testshib.org>, I received a malformed metadata error,
> the testshib.org <http://testshib.org> folks noted that the
> SingleLogoutService element must come before the NameID
> element (they also suggested to remove the newline&whitespace
> from NameID, which existed in my keycloak sp metadata).
>
> Once I modified those I was able to upload at least. I
> suppose the ordering/newline issues may be a fixable issue for
> keycloak.
>
> As for the signing issue, I think I'll give up on using the
> testshib instance (I did try to re-upload with your authn
> suggestion after fixing the SingleLogoutService and NameID
> issues I mentioned above) and did receive an invalid metadata
> error. I appreciate your help though, and I'm sure that
> integrating with a univ IdP as I intend to will be a bit easier!
>
>
> On Thu, Feb 11, 2016 at 3:20 AM Jérôme Blanchard
> <jayblanc at gmail.com <mailto:jayblanc at gmail.com>> wrote:
>
> I'm able to reproduce your bug.
> Making authentication using debug mode a break point in
> AssertionUtil.getAssertion() show that the IdP refuse to
> use unencrypted response :
>
> StatusType [statusCode=StatusCodeType
> [value=urn:oasis:names:tc:SAML:2.0:status:Responder,
> statusCode=null], statusMessage=Unable to encrypt
> assertion, statusDetail=null]
>
> By the way, when I try to use the Want AuthnRequests
> Signed= true, I can't upload the configuration to the
> testshib site because it considere the file as not
> wellformed !!
>
> I'm sorry, but it seems that the configuration os the
> testshib is very well coupled to shibboleth... Maybe you
> could try with your own instance of an IdP.
>
> Best regards, Jérôme.
>
> Le mer. 10 févr. 2016 à 17:03, Steve Nolen
> <technolengy at gmail.com <mailto:technolengy at gmail.com>> a
> écrit :
>
> Hi Jérôme,
>
> Thanks for the help! I swapped the NameId in keycloak
> for this broker to unspecified (I uploaded my sp
> metadata to testshib.org <http://testshib.org> again
> as well just in case) and am still receiving the same
> error.
>
> On Wed, Feb 10, 2016 at 1:10 AM Jérôme Blanchard
> <jayblanc at gmail.com <mailto:jayblanc at gmail.com>> wrote:
>
> Hi Steve,
>
> I'm using Keycloak as a shibboleth SP in a
> federation (Renater) and It's working fine. The
> problem you encounter comes from the fact that you
> ask for a persistent nameId in the config of your
> SP and, according to the provider details, it's
> only able to send transient nameId.
> Feel the parameter of nameId to undefined and
> check the authentication again.
>
> Best regards, Jérôme.
>
> Le mer. 10 févr. 2016 à 03:57, Steve Nolen
> <technolengy at gmail.com
> <mailto:technolengy at gmail.com>> a écrit :
>
> Hi!
>
> First of all, keycloak is legitimately awesome!
>
> I was attempting to test the use of keycloak
> as a shibboleth SP today (testing against the
> testshib.org <http://testshib.org> test IdP)
> and am having some trouble.
>
> Keycloak Version: 1.9.0CR1 (using it on
> openshift currently)
>
> Both sides seem to be set up as they should (I
> used the testshib endpoint to import the
> settings to keycloak). I'm able to take the
> redirect over to idp.testshib but on logging
> in I get a 500 Internal Server Error from
> keycloak. The message is "No Assertion from
> response" (stack trace below).
>
> Any thoughts on what might be missing?
>
> ==== stack trace ====
> http://pastebin.com/3tsApUKK
>
> ==== broker details ====
> https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor
>
> ==== provider details ====
> https://www.testshib.org/metadata/testshib-providers.xml
>
> Thank you!
> Steve
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/15f08aeb/attachment-0001.html
More information about the keycloak-user
mailing list