[keycloak-user] Can not work from time to time for broke SAML 2.0 Identity provider

Bill Burke bburke at redhat.com
Sat Jan 16 09:43:53 EST 2016 

The external SAML IDP is not setting RelayState correctly.  It is 
supposed to pass it as is.

On 1/16/2016 8:34 AM, Mai Zi wrote:
>
> One observation from keycloak log is as below:
>
> 2016-01-16 18:12:33,067 WARN  [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=UnileverHR, clientId=null, userId=null, ipAddress=180.107.103.49, error=identityProviderAuthenticationFailedMessage
> 2016-01-16 18:12:33,071 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-30) identityProviderAuthenticationFailedMessage:org.keycloak.broker.provider.IdentityBrokerException: 
> <https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.provider.IdentityBrokerException%3A&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2>  Invalid code, please login again through your client.
> 	at org.keycloak.services.resources.IdentityBrokerService.parseClientSessionCode(IdentityBrokerService.java:551)
> 	at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:251)
> 	atorg.keycloak.broker.saml.SAMLEndpoint 
> <https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.saml.SAMLEndpoint&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2>$Binding.handleLoginResponse(SAMLEndpoint.java:319)
> 	atorg.keycloak.broker.saml.SAMLEndpoint 
> <https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.saml.SAMLEndpoint&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2>$Binding.handleSamlResponse(SAMLEndpoint.java:350)
> 	atorg.keycloak.broker.saml.SAMLEndpoint 
> <https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.saml.SAMLEndpoint&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2>$Binding.execute(SAMLEndpoint.java:165)
> 	atorg.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:113) 
> <https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.saml.SAMLEndpoint.postBinding%28SAMLEndpoint.java%3A113%29&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2>
> 	atsun.reflect.GeneratedMethodAccessor73.invoke(Unknown 
> <https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Fsun.reflect.GeneratedMethodAccessor73.invoke%28Unknown&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2>  Source)
> 	atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
> <https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Fsun.reflect.DelegatingMethodAccessorImpl.invoke%28DelegatingMethodAccessorImpl.java%3A43%29&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2>
> 	atjava.lang.reflect.Method.invoke(Method.java:606) 
> <https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Fjava.lang.reflect.Method.invoke%28Method.java%3A606%29&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2>
> 	atorg.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) 
> <https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.jboss.resteasy.core.MethodInjectorImpl.invoke%28MethodInjectorImpl.java%3A137%29&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2>
> 	atorg.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) 
> <https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget%28ResourceMethodInvoker.java%3A296%29&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2>
> In this case, we use the same account to lgoin from different  clients  at the same time.  That is ,we may use two machines's browser to try to login into the same IDP account.
> I am not sure this is a legal case or not .
> Thanks a lot
> On Saturday, January 16, 2016 1:26 PM, Mai Zi <ornot2008 at yahoo.com> wrote:
>
>
>
> We user 1.7.0 final  as SP to broke a SAML 2.0 IDP.    We secure the 
> realm for several clients .
> Here is the  demo link : 
> http://unihr.chinacloudapp.cn/campusNav/index.html?locale=en
>
> The test account is
>
> ID : S2\Testnew2
> Password : Daksh at 123
>
> We found keycloak works not stably .  The response will  be dead from 
> time to time.
>
> Pls take a try and help us . let me know what info you need.
>
>
> Mai
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160116/3a260042/attachment-0001.html

More information about the keycloak-user mailing list