[keycloak-user] Can not work from time to time for broke SAML 2.0 Identity provider

[Mai Zi]

Hi, B.B.1) You mention "The external SAML IDP is not setting RelayState correctly.  It is 
supposed to pass it as is."
>From our observation, in most of time, the broke keycloak works well, but at somepoint, once an error occurs, then the state will go into a mess unless you restart the keycloak.  Suppose this is caused by incorrect relaystate of IDP and given the external idp is a ADFS,  what we can tell to the ADFS admin to fix this ?  Sorry we are not very familiar with this field and need your help. 
2)  we also observe there is a WARN in the log as below,  23:13:29,867 WARN  [org.keycloak.events] (default task-1) type=CODE_TO_TOKEN_ERROR, realmId=UnileverHR, clientId=hrhelperNav, userId=00412ef1-69d8-4d21-84a4-e027dd161d38, ipAddress=42.159.242.241, error=invalid_code, grant_type=authorization_code, code_id=a1679537-3577-4aa6-8dcd-13bc3804f99c, client_auth_method=client-secret         This warn will mean something?
3)  In our current IDP broke case,   in the admin console,  realm settings---Tokens tab, there are several configurations.    what is the relationship with the  IDP 's ?    Or , in broke model, it is not necessary to set them ?


 

    On Saturday, January 16, 2016 9:34 PM, Mai Zi <ornot2008 at yahoo.com> wrote:
 

  
One observation from keycloak log is as below:
2016-01-16 18:12:33,067 WARN  [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=UnileverHR, clientId=null, userId=null, ipAddress=180.107.103.49, error=identityProviderAuthenticationFailedMessage
2016-01-16 18:12:33,071 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-30) identityProviderAuthenticationFailedMessage: org.keycloak.broker.provider.IdentityBrokerException: Invalid code, please login again through your client.
	at org.keycloak.services.resources.IdentityBrokerService.parseClientSessionCode(IdentityBrokerService.java:551)
	at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:251)
	at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:319)
	at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:350)
	at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:165)
	at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:113)
	at sun.reflect.GeneratedMethodAccessor73.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)

In this case, we use the same account to lgoin from different  clients  at the same time.  That is ,we may use two machines's browser to try to login into the same IDP account.   I am not sure this is a legal case or not . 
Thanks a lot

    On Saturday, January 16, 2016 1:26 PM, Mai Zi <ornot2008 at yahoo.com> wrote:
 

 
We user 1.7.0 final  as SP to broke a SAML 2.0 IDP.    We secure the realm for several clients . Here is the  demo link :  http://unihr.chinacloudapp.cn/campusNav/index.html?locale=en
The test account is  
ID : S2\Testnew2Password : Daksh at 123 
We found keycloak works not stably .  The response will  be dead from time to time. 
Pls take a try and help us . let me know what info you need.

Mai

   

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160117/812d13b7/attachment-0001.html