[keycloak-user] Keycloak with EZproxy
Stian Thorgersen
sthorger at redhat.com
Thu Nov 10 06:37:47 EST 2016
Looks like a bug on our end. If request includes NameIDPolicy, but format
is missing it'll throw a NPE:
https://github.com/keycloak/keycloak/blob/2.2.0.Final/services/src/main/java/org/keycloak/protocol/saml/SamlService.java#L262
Format is optional so we should handle this. You can create a JIRA for it
and we'll fix. In the mean time if you can get it to include a format or
don't include the NameIDPolicy it may work.
On 8 November 2016 at 14:38, Ricardo Chu <pygator at linux.com> wrote:
> Stian,
> We set the "Client Signature Required" to off. See print screen here:
> https://drive.google.com/open?id=0B7GnoaXLMbnOS1l4dkNmQjFPSUk
>
> I restarted keycloak and attempted to login via ezproxy. It looks like we
> get a little further down the login process but now get a NPE.
>
> You can see the log excerpt here: https://bitbucket.org/
> snippets/rachu/ddRze
>
> Rick
>
> On Mon, Nov 7, 2016 at 1:15 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> First guess is that EZProxy is not signing the login assertion and the
>> client is configured in KC admin console to require signatures. Try turning
>> "Client Signature Required" off for the client in the Keycloak admin
>> console.
>>
>> On 5 November 2016 at 14:36, Ricardo Chu <pygator at linux.com> wrote:
>>
>>> Here is the trace output of this problem:
>>> https://bitbucket.org/snippets/rachu/ddRze/keycloak-ezproxy-problem
>>>
>>> This log includes the startup of keycloak and the login attempt. The
>>> login fails and the message "invalid requester" is displayed in the
>>> browser..
>>>
>>> The trace shows the "Invalid signature on document" message.
>>> Line 5211 says "Cannot find Signature element".
>>>
>>> Any idea what may cause this?
>>>
>>> Rick
>>>
>>> On Fri, Sep 30, 2016 at 3:25 AM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> "XML External Entity switches are not supported. You may get XML
>>>> injection
>>>> vulnerabilities." is just a warning and shouldn't have anything to do
>>>> with
>>>> the issue.
>>>>
>>>> Try enabling trace logging for org.keycloak and see if you get any more
>>>> details.
>>>>
>>>> On 23 September 2016 at 14:52, Bill Kuntz <WKuntz at flvc.org> wrote:
>>>>
>>>> > Thanks.
>>>> >
>>>> >
>>>> >
>>>> > When we attempt to authenticate using keycloak 2.2.0_final, we get the
>>>> > following log entries on the Keycloak server:
>>>> >
>>>> >
>>>> >
>>>> > 2016-09-23 08:44:09,842 WARN [org.keycloak.saml.common] (default
>>>> task-1)
>>>> > XML External Entity switches are not supported. You may get XML
>>>> injection
>>>> > vulnerabilities.
>>>> >
>>>> > 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.Sa
>>>> mlService]
>>>> > (default task-1) request validation failed:
>>>> org.keycloak.common.VerificationException:
>>>> > Invalid signature on document
>>>> >
>>>> > at org.keycloak.protocol.saml.SamlProtocolUtils.
>>>> > verifyDocumentSignature(SamlProtocolUtils.java:57)
>>>> >
>>>> > at org.keycloak.protocol.saml.SamlProtocolUtils.
>>>> > verifyDocumentSignature(SamlProtocolUtils.java:50)
>>>> >
>>>> > at org.keycloak.protocol.saml.SamlService$
>>>> > PostBindingProtocol.verifySignature(SamlService.java:405)
>>>> >
>>>> > at org.keycloak.protocol.saml.Sam
>>>> lService$BindingProtocol.
>>>> > handleSamlRequest(SamlService.java:186)
>>>> >
>>>> > at org.keycloak.protocol.saml.SamlService$
>>>> > PostBindingProtocol.execute(SamlService.java:428)
>>>> >
>>>> > at org.keycloak.protocol.saml.Sam
>>>> lService.postBinding(
>>>> > SamlService.java:504)
>>>> >
>>>> > at sun.reflect.NativeMethodAccess
>>>> orImpl.invoke0(Native
>>>> > Method)
>>>> >
>>>> > at sun.reflect.NativeMethodAccessorImpl.invoke(
>>>> > NativeMethodAccessorImpl.java:62)
>>>> >
>>>> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>>> > DelegatingMethodAccessorImpl.java:43)
>>>> >
>>>> > at java.lang.reflect.Method.invoke(Method.java:498)
>>>> >
>>>> > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>>>> > MethodInjectorImpl.java:139)
>>>> >
>>>> > at org.jboss.resteasy.core.ResourceMethodInvoker.
>>>> > invokeOnTarget(ResourceMethodInvoker.java:295)
>>>> >
>>>> > at org.jboss.resteasy.core.Resour
>>>> ceMethodInvoker.invoke(
>>>> > ResourceMethodInvoker.java:249)
>>>> >
>>>> > at org.jboss.resteasy.core.ResourceLocatorInvoker.
>>>> > invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>>> >
>>>> > at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invoke(
>>>> > ResourceLocatorInvoker.java:101)
>>>> >
>>>> > at org.jboss.resteasy.core.Synchr
>>>> onousDispatcher.invoke(
>>>> > SynchronousDispatcher.java:395)
>>>> >
>>>> > at org.jboss.resteasy.core.Synchr
>>>> onousDispatcher.invoke(
>>>> > SynchronousDispatcher.java:202)
>>>> >
>>>> > at org.jboss.resteasy.plugins.server.servlet.
>>>> > ServletContainerDispatcher.service(ServletContainerDispatche
>>>> r.java:221)
>>>> >
>>>> > at org.jboss.resteasy.plugins.server.servlet.
>>>> > HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>> >
>>>> > at org.jboss.resteasy.plugins.server.servlet.
>>>> > HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>> >
>>>> > at javax.servlet.http.HttpServlet.service(
>>>> > HttpServlet.java:790)
>>>> >
>>>> > at io.undertow.servlet.handlers.
>>>> > ServletHandler.handleRequest(ServletHandler.java:85)
>>>> >
>>>> > at io.undertow.servlet.handlers.
>>>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>> >
>>>> > at org.keycloak.services.filters.
>>>> > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
>>>> > java:90)
>>>> >
>>>> > at io.undertow.servlet.core.ManagedFilter.doFilter(
>>>> > ManagedFilter.java:60)
>>>> >
>>>> > at io.undertow.servlet.handlers.
>>>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>> >
>>>> > at io.undertow.servlet.handlers.
>>>> > FilterHandler.handleRequest(FilterHandler.java:84)
>>>> >
>>>> > at io.undertow.servlet.handlers.security.
>>>> > ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
>>>> > java:62)
>>>> >
>>>> > at io.undertow.servlet.handlers.S
>>>> ervletDispatchingHandler.
>>>> > handleRequest(ServletDispatchingHandler.java:36)
>>>> >
>>>> > at org.wildfly.extension.undertow.security.
>>>> > SecurityContextAssociationHandler.handleRequest(
>>>> > SecurityContextAssociationHandler.java:78)
>>>> >
>>>> > at io.undertow.server.handlers.PredicateHandler.
>>>> > handleRequest(PredicateHandler.java:43)
>>>> >
>>>> > at io.undertow.servlet.handlers.security.
>>>> > SSLInformationAssociationHandler.handleRequest(
>>>> > SSLInformationAssociationHandler.java:131)
>>>> >
>>>> > at io.undertow.servlet.handlers.security.
>>>> > ServletAuthenticationCallHandler.handleRequest(
>>>> > ServletAuthenticationCallHandler.java:57)
>>>> >
>>>> > at io.undertow.server.handlers.PredicateHandler.
>>>> > handleRequest(PredicateHandler.java:43)
>>>> >
>>>> > at io.undertow.security.handlers.
>>>> > AbstractConfidentialityHandler.handleRequest(
>>>> > AbstractConfidentialityHandler.java:46)
>>>> >
>>>> > at io.undertow.servlet.handlers.security.
>>>> > ServletConfidentialityConstraintHandler.handleRequest(
>>>> > ServletConfidentialityConstraintHandler.java:64)
>>>> >
>>>> > at io.undertow.security.handlers.
>>>> > AuthenticationMechanismsHandler.handleRequest(
>>>> > AuthenticationMechanismsHandler.java:60)
>>>> >
>>>> > at io.undertow.servlet.handlers.security.
>>>> > CachedAuthenticatedSessionHandler.handleRequest(
>>>> > CachedAuthenticatedSessionHandler.java:77)
>>>> >
>>>> > at io.undertow.security.handlers.
>>>> > NotificationReceiverHandler.handleRequest(NotificationReceiv
>>>> erHandler.
>>>> > java:50)
>>>> >
>>>> > at io.undertow.security.handlers.
>>>> > AbstractSecurityContextAssociationHandler.handleRequest(
>>>> > AbstractSecurityContextAssociationHandler.java:43)
>>>> >
>>>> > at io.undertow.server.handlers.PredicateHandler.
>>>> > handleRequest(PredicateHandler.java:43)
>>>> >
>>>> > at org.wildfly.extension.undertow.security.jacc.
>>>> > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>> >
>>>> > at io.undertow.server.handlers.PredicateHandler.
>>>> > handleRequest(PredicateHandler.java:43)
>>>> >
>>>> > at io.undertow.server.handlers.PredicateHandler.
>>>> > handleRequest(PredicateHandler.java:43)
>>>> >
>>>> > at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler.
>>>> > handleFirstRequest(ServletInitialHandler.java:284)
>>>> >
>>>> > at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler.
>>>> > dispatchRequest(ServletInitialHandler.java:263)
>>>> >
>>>> > at io.undertow.servlet.handlers.
>>>> > ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>> >
>>>> > at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler$1.
>>>> > handleRequest(ServletInitialHandler.java:174)
>>>> >
>>>> > at io.undertow.server.Connectors.
>>>> > executeRootHandler(Connectors.java:202)
>>>> >
>>>> > at io.undertow.server.HttpServerExchange$1.run(
>>>> > HttpServerExchange.java:793)
>>>> >
>>>> > at java.util.concurrent.ThreadPoolExecutor.runWorker(
>>>> > ThreadPoolExecutor.java:1142)
>>>> >
>>>> > at java.util.concurrent.ThreadPoo
>>>> lExecutor$Worker.run(
>>>> > ThreadPoolExecutor.java:617)
>>>> >
>>>> > at java.lang.Thread.run(Thread.java:745)
>>>> >
>>>> >
>>>> >
>>>> > 2016-09-23 08:44:10,075 WARN [org.keycloak.events] (default task-1)
>>>> > type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null,
>>>> > ipAddress=192.168.33.51, error=invalid_signature
>>>> >
>>>> >
>>>> >
>>>> > I have verified that the keys on the client match the server. Does
>>>> the
>>>> > XML External Entities have something to do with this?
>>>> >
>>>> >
>>>> >
>>>> > Any help is appreciated.
>>>> >
>>>> >
>>>> >
>>>> > Thanks,
>>>> >
>>>> > Bill
>>>> >
>>>> >
>>>> >
>>>> > *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
>>>> > *Sent:* Thursday, September 08, 2016 2:31 AM
>>>> > *To:* Bill Kuntz
>>>> > *Cc:* keycloak-user at lists.jboss.org
>>>> > *Subject:* Re: [keycloak-user] Keycloak with EZproxy
>>>> >
>>>> >
>>>> >
>>>> > Not sure what they mean about "authentication sequence identical to a
>>>> > standard Shibboleth Identity Provider", but Keycloak is pretty
>>>> configurable
>>>> > so it should be possible to adapt the SAML configuration for the
>>>> client to
>>>> > make it work with EZProxy.
>>>> >
>>>> >
>>>> >
>>>> > On 1 September 2016 at 17:47, Bill Kuntz <WKuntz at flvc.org> wrote:
>>>> >
>>>> > Has anyone successfully used Keycloak with OCLC's EZProxy? We have
>>>> been
>>>> > experimenting with Keycloak, and have been able to get it working with
>>>> > other SPs, but not EZProxy.
>>>> >
>>>> > OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO
>>>> > systems if and only if that system uses an authentication sequence
>>>> > identical to a standard Shibboleth Identity Provider (IDP)."
>>>> >
>>>> > Thanks,
>>>> > Bill
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >
>>>> >
>>>> >
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
More information about the keycloak-user
mailing list