[keycloak-user] Keycloak as SAML Service Provider problem

Drew Weirshousky d.weirshousky at xsb.com
Tue Nov 14 10:48:30 EST 2017


Hi Hynek,

  The signature algorithm is set to RSA_SHA256 in okta and keycloak.  I tried validating the XML response using https://www.samltool.com/validate_response.php and it fails with "Signature validation failed. Reference validation failed".  Which some googling made me change Okta to use SHA1 for the Digest Algorithm.  I received the same results using SHA1.  I can't seem to find a digest setting for Keycloak so I would assume SHA256 is being used?

  I've attached the data from SAML trace.  These are both test servers setup to figure out how to do this.

Thanks
Drew Weirshousky

----- Original Message -----
From: "Hynek Mlnarik" <hmlnarik at redhat.com>
To: "Drew Weirshousky" <d.weirshousky at xsb.com>
Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Tuesday, November 14, 2017 5:34:12 AM
Subject: Re: [keycloak-user] Keycloak as SAML Service Provider problem

It's hard to say. Make sure the settings of signature algorithms match in
Okta and Keycloak. If you get nowhere, a dump of SAML communication (e.g.
via SAML Tracer or similar tool) would help.

--Hynek

On Mon, Nov 13, 2017 at 9:57 PM, Drew Weirshousky <d.weirshousky at xsb.com>
wrote:

> Hi,
>   I have Keycloak 3.2.1 setup to act as a SP and Okta as a SAML IDP.  I am
> trying to initiate login from Okta.  After the initial user registration
> keycloak seems to fail while validating the signature on one of the SAML
> Responses.  The error in the browser is invalidFederatedIdentityActionMessage
> and the stack trace is below.
>
> 20:53:59,161 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
> task-18) validation failed: org.keycloak.common.VerificationException:
> Invalid signature on document
>         at org.keycloak.protocol.saml.SamlProtocolUtils.
> verifyDocumentSignature(SamlProtocolUtils.java:83)
>         at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.
> verifySignature(SAMLEndpoint.java:533)
>         at org.keycloak.broker.saml.SAMLEndpoint$Binding.
> handleSamlResponse(SAMLEndpoint.java:471)
>         at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
> SAMLEndpoint.java:239)
>         at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
> SAMLEndpoint.java:159)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
>
> The X509 certificate is the same on both ends.  Am I missing a
> configuration setting some place else?  Any help would be apprectated.
> Some googling brings up some old bugs but I believe they are all fixed in
> 3.2.1.
>
> Thanks
> Drew Weirshousky
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek


More information about the keycloak-user mailing list