[keycloak-user] Keycloak as SAML Service Provider problem
Hynek Mlnarik
hmlnarik at redhat.com
Tue Nov 14 05:34:12 EST 2017
It's hard to say. Make sure the settings of signature algorithms match in
Okta and Keycloak. If you get nowhere, a dump of SAML communication (e.g.
via SAML Tracer or similar tool) would help.
--Hynek
On Mon, Nov 13, 2017 at 9:57 PM, Drew Weirshousky <d.weirshousky at xsb.com>
wrote:
> Hi,
> I have Keycloak 3.2.1 setup to act as a SP and Okta as a SAML IDP. I am
> trying to initiate login from Okta. After the initial user registration
> keycloak seems to fail while validating the signature on one of the SAML
> Responses. The error in the browser is invalidFederatedIdentityActionMessage
> and the stack trace is below.
>
> 20:53:59,161 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
> task-18) validation failed: org.keycloak.common.VerificationException:
> Invalid signature on document
> at org.keycloak.protocol.saml.SamlProtocolUtils.
> verifyDocumentSignature(SamlProtocolUtils.java:83)
> at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.
> verifySignature(SAMLEndpoint.java:533)
> at org.keycloak.broker.saml.SAMLEndpoint$Binding.
> handleSamlResponse(SAMLEndpoint.java:471)
> at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
> SAMLEndpoint.java:239)
> at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
> SAMLEndpoint.java:159)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
>
> The X509 certificate is the same on both ends. Am I missing a
> configuration setting some place else? Any help would be apprectated.
> Some googling brings up some old bugs but I believe they are all fixed in
> 3.2.1.
>
> Thanks
> Drew Weirshousky
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
--Hynek
More information about the keycloak-user
mailing list