[keycloak-user] Keycloak with EZproxy

Ricardo Chu pygator at linux.com
Sat Nov 5 09:36:33 EDT 2016 

Here is the trace output of this problem:
https://bitbucket.org/snippets/rachu/ddRze/keycloak-ezproxy-problem

This log includes the startup of keycloak and the login attempt.  The login
fails and the message "invalid requester" is displayed in the browser..

The trace shows the "Invalid signature on document" message.
Line 5211 says "Cannot find Signature element".

Any idea what may cause this?

Rick

On Fri, Sep 30, 2016 at 3:25 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> "XML External Entity switches are not supported.  You may get XML injection
> vulnerabilities." is just a warning and shouldn't have anything to do with
> the issue.
>
> Try enabling trace logging for org.keycloak and see if you get any more
> details.
>
> On 23 September 2016 at 14:52, Bill Kuntz <WKuntz at flvc.org> wrote:
>
> > Thanks.
> >
> >
> >
> > When we attempt to authenticate using keycloak 2.2.0_final, we get the
> > following log entries on the Keycloak server:
> >
> >
> >
> > 2016-09-23 08:44:09,842 WARN  [org.keycloak.saml.common] (default task-1)
> > XML External Entity switches are not supported.  You may get XML
> injection
> > vulnerabilities.
> >
> > 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.SamlService]
> > (default task-1) request validation failed: org.keycloak.common.
> VerificationException:
> > Invalid signature on document
> >
> >                 at org.keycloak.protocol.saml.SamlProtocolUtils.
> > verifyDocumentSignature(SamlProtocolUtils.java:57)
> >
> >                 at org.keycloak.protocol.saml.SamlProtocolUtils.
> > verifyDocumentSignature(SamlProtocolUtils.java:50)
> >
> >                 at org.keycloak.protocol.saml.SamlService$
> > PostBindingProtocol.verifySignature(SamlService.java:405)
> >
> >                 at org.keycloak.protocol.saml.
> SamlService$BindingProtocol.
> > handleSamlRequest(SamlService.java:186)
> >
> >                 at org.keycloak.protocol.saml.SamlService$
> > PostBindingProtocol.execute(SamlService.java:428)
> >
> >                 at org.keycloak.protocol.saml.SamlService.postBinding(
> > SamlService.java:504)
> >
> >                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> > Method)
> >
> >                 at sun.reflect.NativeMethodAccessorImpl.invoke(
> > NativeMethodAccessorImpl.java:62)
> >
> >                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > DelegatingMethodAccessorImpl.java:43)
> >
> >                 at java.lang.reflect.Method.invoke(Method.java:498)
> >
> >                 at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> > MethodInjectorImpl.java:139)
> >
> >                 at org.jboss.resteasy.core.ResourceMethodInvoker.
> > invokeOnTarget(ResourceMethodInvoker.java:295)
> >
> >                 at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> > ResourceMethodInvoker.java:249)
> >
> >                 at org.jboss.resteasy.core.ResourceLocatorInvoker.
> > invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> >
> >                 at org.jboss.resteasy.core.
> ResourceLocatorInvoker.invoke(
> > ResourceLocatorInvoker.java:101)
> >
> >                 at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> > SynchronousDispatcher.java:395)
> >
> >                 at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> > SynchronousDispatcher.java:202)
> >
> >                 at org.jboss.resteasy.plugins.server.servlet.
> > ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> >
> >                 at org.jboss.resteasy.plugins.server.servlet.
> > HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> >
> >                 at org.jboss.resteasy.plugins.server.servlet.
> > HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> >
> >                 at javax.servlet.http.HttpServlet.service(
> > HttpServlet.java:790)
> >
> >                 at io.undertow.servlet.handlers.
> > ServletHandler.handleRequest(ServletHandler.java:85)
> >
> >                 at io.undertow.servlet.handlers.
> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> >
> >                 at org.keycloak.services.filters.
> > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
> > java:90)
> >
> >                 at io.undertow.servlet.core.ManagedFilter.doFilter(
> > ManagedFilter.java:60)
> >
> >                 at io.undertow.servlet.handlers.
> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> >
> >                 at io.undertow.servlet.handlers.
> > FilterHandler.handleRequest(FilterHandler.java:84)
> >
> >                 at io.undertow.servlet.handlers.security.
> > ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
> > java:62)
> >
> >                 at io.undertow.servlet.handlers.
> ServletDispatchingHandler.
> > handleRequest(ServletDispatchingHandler.java:36)
> >
> >                 at org.wildfly.extension.undertow.security.
> > SecurityContextAssociationHandler.handleRequest(
> > SecurityContextAssociationHandler.java:78)
> >
> >                 at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> >                 at io.undertow.servlet.handlers.security.
> > SSLInformationAssociationHandler.handleRequest(
> > SSLInformationAssociationHandler.java:131)
> >
> >                 at io.undertow.servlet.handlers.security.
> > ServletAuthenticationCallHandler.handleRequest(
> > ServletAuthenticationCallHandler.java:57)
> >
> >                 at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> >                 at io.undertow.security.handlers.
> > AbstractConfidentialityHandler.handleRequest(
> > AbstractConfidentialityHandler.java:46)
> >
> >                 at io.undertow.servlet.handlers.security.
> > ServletConfidentialityConstraintHandler.handleRequest(
> > ServletConfidentialityConstraintHandler.java:64)
> >
> >                 at io.undertow.security.handlers.
> > AuthenticationMechanismsHandler.handleRequest(
> > AuthenticationMechanismsHandler.java:60)
> >
> >                 at io.undertow.servlet.handlers.security.
> > CachedAuthenticatedSessionHandler.handleRequest(
> > CachedAuthenticatedSessionHandler.java:77)
> >
> >                 at io.undertow.security.handlers.
> > NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.
> > java:50)
> >
> >                 at io.undertow.security.handlers.
> > AbstractSecurityContextAssociationHandler.handleRequest(
> > AbstractSecurityContextAssociationHandler.java:43)
> >
> >                 at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> >                 at org.wildfly.extension.undertow.security.jacc.
> > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> >
> >                 at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> >                 at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> >                 at io.undertow.servlet.handlers.ServletInitialHandler.
> > handleFirstRequest(ServletInitialHandler.java:284)
> >
> >                 at io.undertow.servlet.handlers.ServletInitialHandler.
> > dispatchRequest(ServletInitialHandler.java:263)
> >
> >                 at io.undertow.servlet.handlers.
> > ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> >
> >                 at io.undertow.servlet.handlers.ServletInitialHandler$1.
> > handleRequest(ServletInitialHandler.java:174)
> >
> >                 at io.undertow.server.Connectors.
> > executeRootHandler(Connectors.java:202)
> >
> >                 at io.undertow.server.HttpServerExchange$1.run(
> > HttpServerExchange.java:793)
> >
> >                 at java.util.concurrent.ThreadPoolExecutor.runWorker(
> > ThreadPoolExecutor.java:1142)
> >
> >                 at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> > ThreadPoolExecutor.java:617)
> >
> >                 at java.lang.Thread.run(Thread.java:745)
> >
> >
> >
> > 2016-09-23 08:44:10,075 WARN  [org.keycloak.events] (default task-1)
> > type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null,
> > ipAddress=192.168.33.51, error=invalid_signature
> >
> >
> >
> > I have verified that the keys on the client match the server.  Does the
> > XML External Entities have something to do with this?
> >
> >
> >
> > Any help is appreciated.
> >
> >
> >
> > Thanks,
> >
> > Bill
> >
> >
> >
> > *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> > *Sent:* Thursday, September 08, 2016 2:31 AM
> > *To:* Bill Kuntz
> > *Cc:* keycloak-user at lists.jboss.org
> > *Subject:* Re: [keycloak-user] Keycloak with EZproxy
> >
> >
> >
> > Not sure what they mean about "authentication sequence identical to a
> > standard Shibboleth Identity Provider", but Keycloak is pretty
> configurable
> > so it should be possible to adapt the SAML configuration for the client
> to
> > make it work with EZProxy.
> >
> >
> >
> > On 1 September 2016 at 17:47, Bill Kuntz <WKuntz at flvc.org> wrote:
> >
> > Has anyone successfully used Keycloak with OCLC's EZProxy?  We have been
> > experimenting with Keycloak, and have been able to get it working with
> > other SPs, but not EZProxy.
> >
> > OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO
> > systems if and only if that system uses an authentication sequence
> > identical to a standard Shibboleth Identity Provider (IDP)."
> >
> > Thanks,
> > Bill
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list