[keycloak-user] Keycloak with EZproxy
Ricardo Chu
pygator at linux.com
Tue Nov 22 21:14:53 EST 2016
Stian,
I created a JIRA for this problem:
https://issues.jboss.org/browse/KEYCLOAK-3950
We will try your other suggestions too.
Rick
On Thu, Nov 10, 2016 at 6:37 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:
> Looks like a bug on our end. If request includes NameIDPolicy, but format
> is missing it'll throw a NPE:
>
> https://github.com/keycloak/keycloak/blob/2.2.0.Final/
> services/src/main/java/org/keycloak/protocol/saml/SamlService.java#L262
>
> Format is optional so we should handle this. You can create a JIRA for it
> and we'll fix. In the mean time if you can get it to include a format or
> don't include the NameIDPolicy it may work.
>
> On 8 November 2016 at 14:38, Ricardo Chu <pygator at linux.com> wrote:
>
>> Stian,
>> We set the "Client Signature Required" to off. See print screen here:
>> https://drive.google.com/open?id=0B7GnoaXLMbnOS1l4dkNmQjFPSUk
>>
>> I restarted keycloak and attempted to login via ezproxy. It looks like
>> we get a little further down the login process but now get a NPE.
>>
>> You can see the log excerpt here: https://bitbucket.org/sn
>> ippets/rachu/ddRze
>>
>> Rick
>>
>> On Mon, Nov 7, 2016 at 1:15 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> First guess is that EZProxy is not signing the login assertion and the
>>> client is configured in KC admin console to require signatures. Try turning
>>> "Client Signature Required" off for the client in the Keycloak admin
>>> console.
>>>
>>> On 5 November 2016 at 14:36, Ricardo Chu <pygator at linux.com> wrote:
>>>
>>>> Here is the trace output of this problem:
>>>> https://bitbucket.org/snippets/rachu/ddRze/keycloak-ezproxy-problem
>>>>
>>>> This log includes the startup of keycloak and the login attempt. The
>>>> login fails and the message "invalid requester" is displayed in the
>>>> browser..
>>>>
>>>> The trace shows the "Invalid signature on document" message.
>>>> Line 5211 says "Cannot find Signature element".
>>>>
>>>> Any idea what may cause this?
>>>>
>>>> Rick
>>>>
>>>> On Fri, Sep 30, 2016 at 3:25 AM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> "XML External Entity switches are not supported. You may get XML
>>>>> injection
>>>>> vulnerabilities." is just a warning and shouldn't have anything to do
>>>>> with
>>>>> the issue.
>>>>>
>>>>> Try enabling trace logging for org.keycloak and see if you get any more
>>>>> details.
>>>>>
>>>>> On 23 September 2016 at 14:52, Bill Kuntz <WKuntz at flvc.org> wrote:
>>>>>
>>>>> > Thanks.
>>>>> >
>>>>> >
>>>>> >
>>>>> > When we attempt to authenticate using keycloak 2.2.0_final, we get
>>>>> the
>>>>> > following log entries on the Keycloak server:
>>>>> >
>>>>> >
>>>>> >
>>>>> > 2016-09-23 08:44:09,842 WARN [org.keycloak.saml.common] (default
>>>>> task-1)
>>>>> > XML External Entity switches are not supported. You may get XML
>>>>> injection
>>>>> > vulnerabilities.
>>>>> >
>>>>> > 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.Sa
>>>>> mlService]
>>>>> > (default task-1) request validation failed:
>>>>> org.keycloak.common.VerificationException:
>>>>> > Invalid signature on document
>>>>> >
>>>>> > at org.keycloak.protocol.saml.SamlProtocolUtils.
>>>>> > verifyDocumentSignature(SamlProtocolUtils.java:57)
>>>>> >
>>>>> > at org.keycloak.protocol.saml.SamlProtocolUtils.
>>>>> > verifyDocumentSignature(SamlProtocolUtils.java:50)
>>>>> >
>>>>> > at org.keycloak.protocol.saml.SamlService$
>>>>> > PostBindingProtocol.verifySignature(SamlService.java:405)
>>>>> >
>>>>> > at org.keycloak.protocol.saml.Sam
>>>>> lService$BindingProtocol.
>>>>> > handleSamlRequest(SamlService.java:186)
>>>>> >
>>>>> > at org.keycloak.protocol.saml.SamlService$
>>>>> > PostBindingProtocol.execute(SamlService.java:428)
>>>>> >
>>>>> > at org.keycloak.protocol.saml.Sam
>>>>> lService.postBinding(
>>>>> > SamlService.java:504)
>>>>> >
>>>>> > at sun.reflect.NativeMethodAccess
>>>>> orImpl.invoke0(Native
>>>>> > Method)
>>>>> >
>>>>> > at sun.reflect.NativeMethodAccessorImpl.invoke(
>>>>> > NativeMethodAccessorImpl.java:62)
>>>>> >
>>>>> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>>>> > DelegatingMethodAccessorImpl.java:43)
>>>>> >
>>>>> > at java.lang.reflect.Method.invoke(Method.java:498)
>>>>> >
>>>>> > at org.jboss.resteasy.core.Method
>>>>> InjectorImpl.invoke(
>>>>> > MethodInjectorImpl.java:139)
>>>>> >
>>>>> > at org.jboss.resteasy.core.ResourceMethodInvoker.
>>>>> > invokeOnTarget(ResourceMethodInvoker.java:295)
>>>>> >
>>>>> > at org.jboss.resteasy.core.Resour
>>>>> ceMethodInvoker.invoke(
>>>>> > ResourceMethodInvoker.java:249)
>>>>> >
>>>>> > at org.jboss.resteasy.core.ResourceLocatorInvoker.
>>>>> > invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>>>> >
>>>>> > at org.jboss.resteasy.core.Resour
>>>>> ceLocatorInvoker.invoke(
>>>>> > ResourceLocatorInvoker.java:101)
>>>>> >
>>>>> > at org.jboss.resteasy.core.Synchr
>>>>> onousDispatcher.invoke(
>>>>> > SynchronousDispatcher.java:395)
>>>>> >
>>>>> > at org.jboss.resteasy.core.Synchr
>>>>> onousDispatcher.invoke(
>>>>> > SynchronousDispatcher.java:202)
>>>>> >
>>>>> > at org.jboss.resteasy.plugins.server.servlet.
>>>>> > ServletContainerDispatcher.service(ServletContainerDispatche
>>>>> r.java:221)
>>>>> >
>>>>> > at org.jboss.resteasy.plugins.server.servlet.
>>>>> > HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>>> >
>>>>> > at org.jboss.resteasy.plugins.server.servlet.
>>>>> > HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>>> >
>>>>> > at javax.servlet.http.HttpServlet.service(
>>>>> > HttpServlet.java:790)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.
>>>>> > ServletHandler.handleRequest(ServletHandler.java:85)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.
>>>>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>>> >
>>>>> > at org.keycloak.services.filters.
>>>>> > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
>>>>> > java:90)
>>>>> >
>>>>> > at io.undertow.servlet.core.ManagedFilter.doFilter(
>>>>> > ManagedFilter.java:60)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.
>>>>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.
>>>>> > FilterHandler.handleRequest(FilterHandler.java:84)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.security.
>>>>> > ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
>>>>> > java:62)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.S
>>>>> ervletDispatchingHandler.
>>>>> > handleRequest(ServletDispatchingHandler.java:36)
>>>>> >
>>>>> > at org.wildfly.extension.undertow.security.
>>>>> > SecurityContextAssociationHandler.handleRequest(
>>>>> > SecurityContextAssociationHandler.java:78)
>>>>> >
>>>>> > at io.undertow.server.handlers.PredicateHandler.
>>>>> > handleRequest(PredicateHandler.java:43)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.security.
>>>>> > SSLInformationAssociationHandler.handleRequest(
>>>>> > SSLInformationAssociationHandler.java:131)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.security.
>>>>> > ServletAuthenticationCallHandler.handleRequest(
>>>>> > ServletAuthenticationCallHandler.java:57)
>>>>> >
>>>>> > at io.undertow.server.handlers.PredicateHandler.
>>>>> > handleRequest(PredicateHandler.java:43)
>>>>> >
>>>>> > at io.undertow.security.handlers.
>>>>> > AbstractConfidentialityHandler.handleRequest(
>>>>> > AbstractConfidentialityHandler.java:46)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.security.
>>>>> > ServletConfidentialityConstraintHandler.handleRequest(
>>>>> > ServletConfidentialityConstraintHandler.java:64)
>>>>> >
>>>>> > at io.undertow.security.handlers.
>>>>> > AuthenticationMechanismsHandler.handleRequest(
>>>>> > AuthenticationMechanismsHandler.java:60)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.security.
>>>>> > CachedAuthenticatedSessionHandler.handleRequest(
>>>>> > CachedAuthenticatedSessionHandler.java:77)
>>>>> >
>>>>> > at io.undertow.security.handlers.
>>>>> > NotificationReceiverHandler.handleRequest(NotificationReceiv
>>>>> erHandler.
>>>>> > java:50)
>>>>> >
>>>>> > at io.undertow.security.handlers.
>>>>> > AbstractSecurityContextAssociationHandler.handleRequest(
>>>>> > AbstractSecurityContextAssociationHandler.java:43)
>>>>> >
>>>>> > at io.undertow.server.handlers.PredicateHandler.
>>>>> > handleRequest(PredicateHandler.java:43)
>>>>> >
>>>>> > at org.wildfly.extension.undertow.security.jacc.
>>>>> > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>>> >
>>>>> > at io.undertow.server.handlers.PredicateHandler.
>>>>> > handleRequest(PredicateHandler.java:43)
>>>>> >
>>>>> > at io.undertow.server.handlers.PredicateHandler.
>>>>> > handleRequest(PredicateHandler.java:43)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.S
>>>>> ervletInitialHandler.
>>>>> > handleFirstRequest(ServletInitialHandler.java:284)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.S
>>>>> ervletInitialHandler.
>>>>> > dispatchRequest(ServletInitialHandler.java:263)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.
>>>>> > ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>>> >
>>>>> > at io.undertow.servlet.handlers.S
>>>>> ervletInitialHandler$1.
>>>>> > handleRequest(ServletInitialHandler.java:174)
>>>>> >
>>>>> > at io.undertow.server.Connectors.
>>>>> > executeRootHandler(Connectors.java:202)
>>>>> >
>>>>> > at io.undertow.server.HttpServerExchange$1.run(
>>>>> > HttpServerExchange.java:793)
>>>>> >
>>>>> > at java.util.concurrent.ThreadPoo
>>>>> lExecutor.runWorker(
>>>>> > ThreadPoolExecutor.java:1142)
>>>>> >
>>>>> > at java.util.concurrent.ThreadPoo
>>>>> lExecutor$Worker.run(
>>>>> > ThreadPoolExecutor.java:617)
>>>>> >
>>>>> > at java.lang.Thread.run(Thread.java:745)
>>>>> >
>>>>> >
>>>>> >
>>>>> > 2016-09-23 08:44:10,075 WARN [org.keycloak.events] (default task-1)
>>>>> > type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null,
>>>>> > ipAddress=192.168.33.51, error=invalid_signature
>>>>> >
>>>>> >
>>>>> >
>>>>> > I have verified that the keys on the client match the server. Does
>>>>> the
>>>>> > XML External Entities have something to do with this?
>>>>> >
>>>>> >
>>>>> >
>>>>> > Any help is appreciated.
>>>>> >
>>>>> >
>>>>> >
>>>>> > Thanks,
>>>>> >
>>>>> > Bill
>>>>> >
>>>>> >
>>>>> >
>>>>> > *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
>>>>> > *Sent:* Thursday, September 08, 2016 2:31 AM
>>>>> > *To:* Bill Kuntz
>>>>> > *Cc:* keycloak-user at lists.jboss.org
>>>>> > *Subject:* Re: [keycloak-user] Keycloak with EZproxy
>>>>> >
>>>>> >
>>>>> >
>>>>> > Not sure what they mean about "authentication sequence identical to a
>>>>> > standard Shibboleth Identity Provider", but Keycloak is pretty
>>>>> configurable
>>>>> > so it should be possible to adapt the SAML configuration for the
>>>>> client to
>>>>> > make it work with EZProxy.
>>>>> >
>>>>> >
>>>>> >
>>>>> > On 1 September 2016 at 17:47, Bill Kuntz <WKuntz at flvc.org> wrote:
>>>>> >
>>>>> > Has anyone successfully used Keycloak with OCLC's EZProxy? We have
>>>>> been
>>>>> > experimenting with Keycloak, and have been able to get it working
>>>>> with
>>>>> > other SPs, but not EZProxy.
>>>>> >
>>>>> > OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO
>>>>> > systems if and only if that system uses an authentication sequence
>>>>> > identical to a standard Shibboleth Identity Provider (IDP)."
>>>>> >
>>>>> > Thanks,
>>>>> > Bill
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> > keycloak-user mailing list
>>>>> > keycloak-user at lists.jboss.org
>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> >
>>>>> >
>>>>> >
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list