[keycloak-user] Error in base64 decoding saml message

Alex Zeleznikov alex at iucc.ac.il
Sun Nov 19 01:39:15 EST 2017


Hello, we are using keycloak as a local IDP, currently the keycloak server if being served to SPs via simplesamlphp, the connection to the simplesaml server works, a user can login and logout without issues, however, when a user tries to authneicate via an SP, the keycloak server login page shows "invalid request".
Looking at the logs I see:
`2017-11-19 08:13:31,218 ERROR [org.keycloak.saml.common] (default task-2) Error in base64 decoding saml message: java.lang.RuntimeException: PL00064: Parser: Unknown Start Element: Scoping::location=org.codehaus.stax2.XMLStreamLocation2$1 at 5917b7e5`

Here is the saml data when authenticate only via simplesaml (this works):
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_c1f8cff7fd9f03bac28dc34402ae2f128a59ac45f5"
                    Version="2.0"
                    IssueInstant="2017-11-16T07:28:00Z"
                    Destination="https://iuccidp.iucc.ac.il/auth/realms/IUCCIDP/protocol/saml"
                    AssertionConsumerServiceURL="https://iif.iucc.ac.il/idp/module.php/saml/sp/saml2-acs.php/default-sp"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    >
    <saml:Issuer>https://iif.iucc.ac.il/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_c1f8cff7fd9f03bac28dc34402ae2f128a59ac45f5">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>lQF9e0r3X8T4QbyUU9r0pjaWyPk=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>MIdx3PVLBZqUYkkg9GGUQRlpdOo8p1ajmGoUYm29JcYkPE7FYiVfgEpSj6GQ97MStUOiVJHEggFp201a40ucORqG2YG9VD7rhH0Ac7FGkO0AcqfPaVzDk+jXxiEtQZKAdTWj8UDVUtHjSg52ZKwmXyPru84gOevPgr+zs6XU7r0fWCQniwg6Dqc4E1dB5QThpj04iaMMeIHLf0dyQWPALQUtW4URMWhwLog6swGrTig/4vPh/hI7jiXB45okGjcvBJZvRLXPsS7+M6Jeu+XLK9/wCUGc05vxpK7Yn9AHnkZDer5P1b5ZaOoo0yLMe/x5tLlfWYmOO0oec4dE/5C6mw==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIFKzCCBBOgAwIBAgIQBVCwaVElAxhYhZHwR0xGhzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzAeFw0xNzEwMzEwMDAwMDBaFw0yMDExMDQxMjAwMDBaMHQxCzAJBgNVBAYTAklMMREwDwYDVQQHEwhUZWwgQXZpdjEsMCoGA1UEChMjSW50ZXIgVW5pdmVyc2l0eSBDb21wdXRhdGlvbiBDZW50ZXIxCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5paWYuaXVjYy5hYy5pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCuGsVeVyl6ognK6FDnZZk0VLuA8vF0eQrOZmIyHMXV0O9tFdy5lap6cB4VvOrzUjU2vfX3baWjfy1H/9WWzb3dH2++2vBsTJ38Z5l1ot3FkjBUix9Tm7gm8IZfIRu1UMMqZ945a2I5QJWqEiXEQTCIqSxB9I2Gs9hmHmZxb+BIA3jdWOfjKCNn/gToP7WZ2ks2BfhM3NhwkMVWwE8Lnds/m8MKRoKGMDWdsuhN9nSy0Qq1A7hPhnTClFEl7Nw8eUx1pbgk8DZMJIxVq0X4h1ogeno1AJhCSpaClsVUCiGQpC9DFsB1mctnVj+gR+LOaPQPuWpXWU00u8H3GcKp59MCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFGf9iCAUJ5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBRzclwqDCt2YJuQzNL7Q6xQSMFYvjAZBgNVHREEEjAQgg5paWYuaXVjYy5hYy5pbDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBuBggrBgEFBQcBAQRiMGAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA4BggrBgEFBQcwAoYsaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPT+syBAyrz97u7zvxk2JUjlvD5IdpXNuEwuO3hxmj8RAJ1HNKcelNi53UOGmc+bfug3BrwN4tm8e70lWbePKhLZ/wmZ0GtmC3hrQK9g6NalncY3Qq5P7mvFohWInUaXnVM0AhDNj+IzbBHT+kKiKySeDUBhE7me7Qf/g/wcICV7ukJEKwkkIs/eQgeUn20qLHSrD9ADMuMR1ezyTFDFNKGiHEN7QvlK2nXHHsYjnjs/GucT1zMYH9wRI3/HBOTvBRWNTYcUB9eHJvWC0Gscbo9itMwR6/xDaKLM3afHos4lAvlXfvLKMoW4/miNfqn1MOrmts5WJbfIlZ+4KxsMB7Q==</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
</samlp:AuthnRequest>


And here is the SAML data when authenticating vis an SP (this doesn't work):
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_c327a0622c69920a4bdefa8a2fd98847b67cf18473"
                    Version="2.0"
                    IssueInstant="2017-11-16T07:09:05Z"
                    Destination="https://iuccidp.iucc.ac.il/auth/realms/IUCCIDP/protocol/saml"
                    AssertionConsumerServiceURL="https://iif.iucc.ac.il/idp/module.php/saml/sp/saml2-acs.php/default-sp"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    >
    <saml:Issuer>https://iif.iucc.ac.il/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_c327a0622c69920a4bdefa8a2fd98847b67cf18473">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>lss9SZraPBlGe6oR6EbuUe9bbrE=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>YFtlgSogdf4itNcckDhylaQNMx+nLi1MCndwvFsx9wBZFb4RTEZ05uYdK9lsIQBFIxjFnYmIil4h6CNLVoLzvdDKFZUdnY3Fpmz3p/Oo+0+ho/8gSp7bm1NlXJarMwHc36tFSKmFZb5fsGElX/1mH6NfsD2S46EmZiK7b7jYkbQVq4UaWVJ5ihvvil8FXTas5/JEUJai3X94/viglVhc5uptoBy/spRjdAnlUFSJKqmmgHWH/Dd/2ElOJiyi+z04O5lVvC5pjTWVHRxHwLlwKF/QjC3Z16cFKR4Y0Bm7uDxvQiGt5eH5Qvm96GYpLk5mV4cTlGELQbKRbECatnuS1Q==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIFKzCCBBOgAwIBAgIQBVCwaVElAxhYhZHwR0xGhzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzAeFw0xNzEwMzEwMDAwMDBaFw0yMDExMDQxMjAwMDBaMHQxCzAJBgNVBAYTAklMMREwDwYDVQQHEwhUZWwgQXZpdjEsMCoGA1UEChMjSW50ZXIgVW5pdmVyc2l0eSBDb21wdXRhdGlvbiBDZW50ZXIxCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5paWYuaXVjYy5hYy5pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCuGsVeVyl6ognK6FDnZZk0VLuA8vF0eQrOZmIyHMXV0O9tFdy5lap6cB4VvOrzUjU2vfX3baWjfy1H/9WWzb3dH2++2vBsTJ38Z5l1ot3FkjBUix9Tm7gm8IZfIRu1UMMqZ945a2I5QJWqEiXEQTCIqSxB9I2Gs9hmHmZxb+BIA3jdWOfjKCNn/gToP7WZ2ks2BfhM3NhwkMVWwE8Lnds/m8MKRoKGMDWdsuhN9nSy0Qq1A7hPhnTClFEl7Nw8eUx1pbgk8DZMJIxVq0X4h1ogeno1AJhCSpaClsVUCiGQpC9DFsB1mctnVj+gR+LOaPQPuWpXWU00u8H3GcKp59MCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFGf9iCAUJ5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBRzclwqDCt2YJuQzNL7Q6xQSMFYvjAZBgNVHREEEjAQgg5paWYuaXVjYy5hYy5pbDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBuBggrBgEFBQcBAQRiMGAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA4BggrBgEFBQcwAoYsaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPT+syBAyrz97u7zvxk2JUjlvD5IdpXNuEwuO3hxmj8RAJ1HNKcelNi53UOGmc+bfug3BrwN4tm8e70lWbePKhLZ/wmZ0GtmC3hrQK9g6NalncY3Qq5P7mvFohWInUaXnVM0AhDNj+IzbBHT+kKiKySeDUBhE7me7Qf/g/wcICV7ukJEKwkkIs/eQgeUn20qLHSrD9ADMuMR1ezyTFDFNKGiHEN7QvlK2nXHHsYjnjs/GucT1zMYH9wRI3/HBOTvBRWNTYcUB9eHJvWC0Gscbo9itMwR6/xDaKLM3afHos4lAvlXfvLKMoW4/miNfqn1MOrmts5WJbfIlZ+4KxsMB7Q==</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Scoping>
        <samlp:RequesterID>https://terena.org/sp</samlp:RequesterID>
    </samlp:Scoping>
</samlp:AuthnRequest>


More information about the keycloak-user mailing list