[keycloak-user] Can not work from time to time for broke SAML 2.0 Identity provider
Mai Zi
ornot2008 at yahoo.com
Sat Jan 16 21:41:10 EST 2016
Hi, B.B.1) You mention "The external SAML IDP is not setting RelayState correctly. It is
supposed to pass it as is."
>From our observation, in most of time, the broke keycloak works well, but at somepoint, once an error occurs, then the state will go into a mess unless you restart the keycloak. Suppose this is caused by incorrect relaystate of IDP and given the external idp is a ADFS, what we can tell to the ADFS admin to fix this ? Sorry we are not very familiar with this field and need your help.
2) we also observe there is a WARN in the log as below, 23:13:29,867 WARN [org.keycloak.events] (default task-1) type=CODE_TO_TOKEN_ERROR, realmId=UnileverHR, clientId=hrhelperNav, userId=00412ef1-69d8-4d21-84a4-e027dd161d38, ipAddress=42.159.242.241, error=invalid_code, grant_type=authorization_code, code_id=a1679537-3577-4aa6-8dcd-13bc3804f99c, client_auth_method=client-secret This warn will mean something?
3) In our current IDP broke case, in the admin console, realm settings---Tokens tab, there are several configurations. what is the relationship with the IDP 's ? Or , in broke model, it is not necessary to set them ?
On Saturday, January 16, 2016 9:34 PM, Mai Zi <ornot2008 at yahoo.com> wrote:
One observation from keycloak log is as below:
2016-01-16 18:12:33,067 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=UnileverHR, clientId=null, userId=null, ipAddress=180.107.103.49, error=identityProviderAuthenticationFailedMessage
2016-01-16 18:12:33,071 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-30) identityProviderAuthenticationFailedMessage: org.keycloak.broker.provider.IdentityBrokerException: Invalid code, please login again through your client.
at org.keycloak.services.resources.IdentityBrokerService.parseClientSessionCode(IdentityBrokerService.java:551)
at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:251)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:319)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:350)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:165)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:113)
at sun.reflect.GeneratedMethodAccessor73.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
In this case, we use the same account to lgoin from different clients at the same time. That is ,we may use two machines's browser to try to login into the same IDP account. I am not sure this is a legal case or not .
Thanks a lot
On Saturday, January 16, 2016 1:26 PM, Mai Zi <ornot2008 at yahoo.com> wrote:
We user 1.7.0 final as SP to broke a SAML 2.0 IDP. We secure the realm for several clients . Here is the demo link : http://unihr.chinacloudapp.cn/campusNav/index.html?locale=en
The test account is
ID : S2\Testnew2Password : Daksh at 123
We found keycloak works not stably . The response will be dead from time to time.
Pls take a try and help us . let me know what info you need.
Mai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160117/812d13b7/attachment-0001.html
More information about the keycloak-user
mailing list