[keycloak-user] Error in base64 decoding saml message

Hynek Mlnarik hmlnarik at redhat.com
Mon Nov 20 09:16:37 EST 2017 

Please file a bug in JIRA with these details, this is an issue in parser.

On Sun, Nov 19, 2017 at 7:39 AM, Alex Zeleznikov <alex at iucc.ac.il> wrote:

> Hello, we are using keycloak as a local IDP, currently the keycloak server
> if being served to SPs via simplesamlphp, the connection to the simplesaml
> server works, a user can login and logout without issues, however, when a
> user tries to authneicate via an SP, the keycloak server login page shows
> "invalid request".
> Looking at the logs I see:
> `2017-11-19 08:13:31,218 ERROR [org.keycloak.saml.common] (default task-2)
> Error in base64 decoding saml message: java.lang.RuntimeException: PL00064:
> Parser: Unknown Start Element: Scoping::location=org.codehaus.stax2.
> XMLStreamLocation2$1 at 5917b7e5`
>
> Here is the saml data when authenticate only via simplesaml (this works):
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>                     ID="_c1f8cff7fd9f03bac28dc34402ae2f128a59ac45f5"
>                     Version="2.0"
>                     IssueInstant="2017-11-16T07:28:00Z"
>                     Destination="https://iuccidp.iucc.ac.il/auth/realms/
> IUCCIDP/protocol/saml"
>                     AssertionConsumerServiceURL="h
> ttps://iif.iucc.ac.il/idp/module.php/saml/sp/saml2-acs.php/default-sp"
>                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:
> HTTP-POST"
>                     >
>     <saml:Issuer>https://iif.iucc.ac.il/idp/module.php/saml/sp/
> metadata.php/default-sp</saml:Issuer>
>     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>         <ds:SignedInfo>
>             <ds:CanonicalizationMethod Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>             <ds:SignatureMethod Algorithm="http://www.w3.org/
> 2000/09/xmldsig#rsa-sha1" />
>             <ds:Reference URI="#_c1f8cff7fd9f03bac28dc34402ae2f
> 128a59ac45f5">
>                 <ds:Transforms>
>                     <ds:Transform Algorithm="http://www.w3.org/
> 2000/09/xmldsig#enveloped-signature" />
>                     <ds:Transform Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>                 </ds:Transforms>
>                 <ds:DigestMethod Algorithm="http://www.w3.org/
> 2000/09/xmldsig#sha1" />
>                 <ds:DigestValue>lQF9e0r3X8T4QbyUU9r0pjaWyPk=</
> ds:DigestValue>
>             </ds:Reference>
>         </ds:SignedInfo>
>         <ds:SignatureValue>MIdx3PVLBZqUYkkg9GGUQRlpdOo8p1
> ajmGoUYm29JcYkPE7FYiVfgEpSj6GQ97MStUOiVJHEggFp201a40ucORqG2Y
> G9VD7rhH0Ac7FGkO0AcqfPaVzDk+jXxiEtQZKAdTWj8UDVUtHjSg52ZKwmXyPru84gOevPgr+
> zs6XU7r0fWCQniwg6Dqc4E1dB5QThpj04iaMMeIHLf0dyQWPALQUtW4URMWh
> wLog6swGrTig/4vPh/hI7jiXB45okGjcvBJZvRLXPsS7+M6Jeu+XLK9/
> wCUGc05vxpK7Yn9AHnkZDer5P1b5ZaOoo0yLMe/x5tLlfWYmOO0oec4dE/
> 5C6mw==</ds:SignatureValue>
>         <ds:KeyInfo>
>             <ds:X509Data>
>                 <ds:X509Certificate>MIIFKzCCBBOgAwIBAgIQBVCwaVElAx
> hYhZHwR0xGhzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJOTDEWMBQGA1
> UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQ
> QKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzAeFw0xNzEwMz
> EwMDAwMDBaFw0yMDExMDQxMjAwMDBaMHQxCzAJBgNVBAYTAklMMREwDwYDVQ
> QHEwhUZWwgQXZpdjEsMCoGA1UEChMjSW50ZXIgVW5pdmVyc2l0eSBDb21wdX
> RhdGlvbiBDZW50ZXIxCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5paWYuaXVjYy
> 5hYy5pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCuGsVeVy
> l6ognK6FDnZZk0VLuA8vF0eQrOZmIyHMXV0O9tFdy5lap6cB4VvOrzUjU2vf
> X3baWjfy1H/9WWzb3dH2++2vBsTJ38Z5l1ot3FkjBUix9Tm7gm8I
> ZfIRu1UMMqZ945a2I5QJWqEiXEQTCIqSxB9I2Gs9hmHmZxb+BIA3jdWOfjKCNn/
> gToP7WZ2ks2BfhM3NhwkMVWwE8Lnds/m8MKRoKGMDWdsuhN9nSy0Qq1A7hPhn
> TClFEl7Nw8eUx1pbgk8DZMJIxVq0X4h1ogeno1AJhCSpaClsVUCiGQpC9DFsB1mctnVj+gR+
> LOaPQPuWpXWU00u8H3GcKp59MCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFG
> f9iCAUJ5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBRzclwqDCt2YJuQzNL7Q6
> xQSMFYvjAZBgNVHREEEjAQgg5paWYuaXVjYy5hYy5pbDAOBgNVHQ8BAf8EBA
> MCBaAwHQYDVR0lB!
>  BYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0d
> HA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMC+
> gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmN
> ybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHR
> wczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBuBggrBgEFBQc
> BAQRiMGAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA
> 4BggrBgEFBQcwAoYsaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1RFUkV
> OQVNTTENBMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPT+
> syBAyrz97u7zvxk2JUjlvD5IdpXNuEwuO3hxmj8RAJ1HNKcelNi53UOGmc+
> bfug3BrwN4tm8e70lWbePKhLZ/wmZ0GtmC3hrQK9g6NalncY3Qq5P7mv
> FohWInUaXnVM0AhDNj+IzbBHT+kKiKySeDUBhE7me7Qf/g/wcICV7ukJEKwkkIs/
> eQgeUn20qLHSrD9ADMuMR1ezyTFDFNKGiHEN7QvlK2nXHHsYjnjs/GucT1zMYH9wRI3/
> HBOTvBRWNTYcUB9eHJvWC0Gscbo9itMwR6/xDaKLM3afHos4lAvlXfvLKMoW4/
> miNfqn1MOrmts5WJbfIlZ+4KxsMB7Q==</ds:X509Certificate>
>             </ds:X509Data>
>         </ds:KeyInfo>
>     </ds:Signature>
> </samlp:AuthnRequest>
>
>
> And here is the SAML data when authenticating vis an SP (this doesn't
> work):
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>                     ID="_c327a0622c69920a4bdefa8a2fd98847b67cf18473"
>                     Version="2.0"
>                     IssueInstant="2017-11-16T07:09:05Z"
>                     Destination="https://iuccidp.iucc.ac.il/auth/realms/
> IUCCIDP/protocol/saml"
>                     AssertionConsumerServiceURL="h
> ttps://iif.iucc.ac.il/idp/module.php/saml/sp/saml2-acs.php/default-sp"
>                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:
> HTTP-POST"
>                     >
>     <saml:Issuer>https://iif.iucc.ac.il/idp/module.php/saml/sp/
> metadata.php/default-sp</saml:Issuer>
>     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>         <ds:SignedInfo>
>             <ds:CanonicalizationMethod Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>             <ds:SignatureMethod Algorithm="http://www.w3.org/
> 2000/09/xmldsig#rsa-sha1" />
>             <ds:Reference URI="#_c327a0622c69920a4bdefa8a2fd988
> 47b67cf18473">
>                 <ds:Transforms>
>                     <ds:Transform Algorithm="http://www.w3.org/
> 2000/09/xmldsig#enveloped-signature" />
>                     <ds:Transform Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>                 </ds:Transforms>
>                 <ds:DigestMethod Algorithm="http://www.w3.org/
> 2000/09/xmldsig#sha1" />
>                 <ds:DigestValue>lss9SZraPBlGe6oR6EbuUe9bbrE=</
> ds:DigestValue>
>             </ds:Reference>
>         </ds:SignedInfo>
>         <ds:SignatureValue>YFtlgSogdf4itNcckDhylaQNMx+
> nLi1MCndwvFsx9wBZFb4RTEZ05uYdK9lsIQBFIxjFnYmIil4h6CNLVoLzvdD
> KFZUdnY3Fpmz3p/Oo+0+ho/8gSp7bm1NlXJarMwHc36tFSKmFZb5fsGElX/
> 1mH6NfsD2S46EmZiK7b7jYkbQVq4UaWVJ5ihvvil8FXTas5/JEUJai3X94/viglVhc5uptoBy/
> spRjdAnlUFSJKqmmgHWH/Dd/2ElOJiyi+z04O5lVvC5pjTWVHRxHwLlwKF/
> QjC3Z16cFKR4Y0Bm7uDxvQiGt5eH5Qvm96GYpLk5mV4cTlGELQbKRbECatnu
> S1Q==</ds:SignatureValue>
>         <ds:KeyInfo>
>             <ds:X509Data>
>                 <ds:X509Certificate>MIIFKzCCBBOgAwIBAgIQBVCwaVElAx
> hYhZHwR0xGhzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJOTDEWMBQGA1
> UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQ
> QKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzAeFw0xNzEwMz
> EwMDAwMDBaFw0yMDExMDQxMjAwMDBaMHQxCzAJBgNVBAYTAklMMREwDwYDVQ
> QHEwhUZWwgQXZpdjEsMCoGA1UEChMjSW50ZXIgVW5pdmVyc2l0eSBDb21wdX
> RhdGlvbiBDZW50ZXIxCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5paWYuaXVjYy
> 5hYy5pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCuGsVeVy
> l6ognK6FDnZZk0VLuA8vF0eQrOZmIyHMXV0O9tFdy5lap6cB4VvOrzUjU2vf
> X3baWjfy1H/9WWzb3dH2++2vBsTJ38Z5l1ot3FkjBUix9Tm7gm8I
> ZfIRu1UMMqZ945a2I5QJWqEiXEQTCIqSxB9I2Gs9hmHmZxb+BIA3jdWOfjKCNn/
> gToP7WZ2ks2BfhM3NhwkMVWwE8Lnds/m8MKRoKGMDWdsuhN9nSy0Qq1A7hPhn
> TClFEl7Nw8eUx1pbgk8DZMJIxVq0X4h1ogeno1AJhCSpaClsVUCiGQpC9DFsB1mctnVj+gR+
> LOaPQPuWpXWU00u8H3GcKp59MCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFG
> f9iCAUJ5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBRzclwqDCt2YJuQzNL7Q6
> xQSMFYvjAZBgNVHREEEjAQgg5paWYuaXVjYy5hYy5pbDAOBgNVHQ8BAf8EBA
> MCBaAwHQYDVR0lB!
>  BYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0d
> HA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMC+
> gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmN
> ybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHR
> wczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBuBggrBgEFBQc
> BAQRiMGAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA
> 4BggrBgEFBQcwAoYsaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1RFUkV
> OQVNTTENBMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPT+
> syBAyrz97u7zvxk2JUjlvD5IdpXNuEwuO3hxmj8RAJ1HNKcelNi53UOGmc+
> bfug3BrwN4tm8e70lWbePKhLZ/wmZ0GtmC3hrQK9g6NalncY3Qq5P7mv
> FohWInUaXnVM0AhDNj+IzbBHT+kKiKySeDUBhE7me7Qf/g/wcICV7ukJEKwkkIs/
> eQgeUn20qLHSrD9ADMuMR1ezyTFDFNKGiHEN7QvlK2nXHHsYjnjs/GucT1zMYH9wRI3/
> HBOTvBRWNTYcUB9eHJvWC0Gscbo9itMwR6/xDaKLM3afHos4lAvlXfvLKMoW4/
> miNfqn1MOrmts5WJbfIlZ+4KxsMB7Q==</ds:X509Certificate>
>             </ds:X509Data>
>         </ds:KeyInfo>
>     </ds:Signature>
>     <samlp:Scoping>
>         <samlp:RequesterID>https://terena.org/sp</samlp:RequesterID>
>     </samlp:Scoping>
> </samlp:AuthnRequest>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek

More information about the keycloak-user mailing list