[keycloak-user] Keycloak as SAML Service Provider problem
Drew Weirshousky
d.weirshousky at xsb.com
Mon Nov 13 15:57:18 EST 2017
Hi,
I have Keycloak 3.2.1 setup to act as a SP and Okta as a SAML IDP. I am trying to initiate login from Okta. After the initial user registration keycloak seems to fail while validating the signature on one of the SAML Responses. The error in the browser is invalidFederatedIdentityActionMessage and the stack trace is below.
20:53:59,161 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-18) validation failed: org.keycloak.common.VerificationException: Invalid signature on document
at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:83)
at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.verifySignature(SAMLEndpoint.java:533)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:471)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:239)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:159)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
The X509 certificate is the same on both ends. Am I missing a configuration setting some place else? Any help would be apprectated. Some googling brings up some old bugs but I believe they are all fixed in 3.2.1.
Thanks
Drew Weirshousky
More information about the keycloak-user
mailing list