[keycloak-user] Debug Keycloak SAML adapter for an issue

Pulkit Gupta pulgupta at redhat.com
Mon May 22 10:28:23 EDT 2017 

Thanks Hynek,

However it did'nt solve my issue.
The method in question is

protected AuthOutcome handleSamlResponse(String samlResponse, String
relayState, OnSessionCreated onCreateSession) {

    SAMLDocumentHolder holder = null;
    boolean postBinding = false;
    String requestUri = facade.getRequest().getURI();
    if (facade.getRequest().getMethod().equalsIgnoreCase("GET")) {
        int index = requestUri.indexOf('?');
        if (index > -1) {
            requestUri = requestUri.substring(0, index);
        }
        holder = extractRedirectBindingResponse(samlResponse);
    } else {
        postBinding = true;
        holder = extractPostBindingResponse(samlResponse);
    }
    final StatusResponseType statusResponse = (StatusResponseType)
holder.getSamlObject();
    // validate destination
    if (!requestUri.equals(statusResponse.getDestination())) {
        log.error("Request URI does not match SAML request destination");
        return AuthOutcome.FAILED;
    }

What I am trying to find out is what are the values of requestUri and
statusResponse.getDestination() so that I can then check my redirect rules
effectively.

Regards,
Pulkit

On Mon, May 22, 2017 at 5:47 PM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:

> You can enable TRACE logging on org.keycloak.saml package to see the
> whole parsed / generated SAML documents (together with lots of other
> stuff). On WildFly/EAP you can use the following jboss-cli.sh command:
>
> /subsystem=logging/logger=org.keycloak.saml:add(level=TRACE)
>
> You can also capture the requests at the client or the reverse proxy
> and decode SAML requests/responses manually.
>
> --Hynek
>
> On Mon, May 22, 2017 at 1:28 PM, Pulkit Gupta <pulgupta at redhat.com> wrote:
> > Hi All,
> >
> > I am getting an error for one of my SAML enabled application in one of
> our
> > environment.
> >
> > "Request URI does not match SAML request destination"
> >
> >
> > It seems to be an issue with the reverse proxy but I want to debug it to
> > find some more information about it. I checked the class "
> > *AbstractSamlAuthenticationHandler*" and can see that there is no good
> > debug logging codded. Can you please guide me how can I gather some more
> > information about the issue at hand.
> >
> > --
> >
> > PULKIT GUPTA
> >
> > SENIOR SOFTWARE APPLICATIONS ENGINEER
> >
> > Red Hat IN IT GBD <https://www.redhat.com/>
> >
> > Pune - India
> >
> > pulgupta at redhat.com    T: +91-2066817536
> > <http://redhatemailsignature-marketing.itos.redhat.com/>     IM:
> pulgupta
> > <https://red.ht/sig>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek
>



-- 

PULKIT GUPTA

SENIOR SOFTWARE APPLICATIONS ENGINEER

Red Hat IN IT GBD <https://www.redhat.com/>

Pune - India

pulgupta at redhat.com    T: +91-2066817536
<http://redhatemailsignature-marketing.itos.redhat.com/>     IM: pulgupta
<https://red.ht/sig>

More information about the keycloak-user mailing list