[keycloak-user] Debug Keycloak SAML adapter for an issue
John Dennis
jdennis at redhat.com
Mon May 22 11:06:04 EDT 2017
On 05/22/2017 07:28 AM, Pulkit Gupta wrote:
> Hi All,
>
> I am getting an error for one of my SAML enabled application in one of our
> environment.
>
> "Request URI does not match SAML request destination"
>
>
> It seems to be an issue with the reverse proxy but I want to debug it to
> find some more information about it. I checked the class "
> *AbstractSamlAuthenticationHandler*" and can see that there is no good
> debug logging codded. Can you please guide me how can I gather some more
> information about the issue at hand.
>
When behind a proxy, load balancer or SSL terminator an invalid
destination error is usually caused by the web server not properly
identifying itself. For services hosted by Apache this can be fixed by
utilizing the ServerName and UseCanonicalName directives in the
VirtualHost section. The ServerName *must* be fully qualified with the
*scheme*, host, and *port*, not just the host. See this section of Red
Hat documentation on configuring Apache SAML SP's as clients of Keycloak.
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html-single/federate_with_identity_service/#serverhost-name
The easiest way to debug these issues is the read the SAML messages.
Since typically most people use SAML for WebSSO the browser has access
to both the request and response SAML messages. Each of the major
browsers have plugins to display the SAML messages. With Firefox use
SAMLTracer, Chrome has at least 3 different SAML plugins. Just make sure
SAML encryption is turned off, the plugins cannot decrypt. You'll want
to examine the URL's in both the request and response and make sure they
line up. If they don't it should be obvious who is not sending the
expected URL.
--
John
More information about the keycloak-user
mailing list