[keycloak-user] [External] Re: IDP SAML Processing Error

Mon Aug 20 03:53:47 EDT 2018

I'm also interested on this.
We also want to make IDP initiated login (SAML) work on our application (OIDC). I've been thinking about trying out exactly the same setup as you describe. But if keycloak would support this out-of-the-box, that would be great!

Tom

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Dmitry Telegin
Sent: Friday, August 17, 2018 11:50 PM
To: Yildirim, Suleyman <suleyman.yildirim at accenture.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] [External] Re: IDP SAML Processing Error

** WARNING: This mail is from an external source **

On Fri, 2018-08-17 at 16:14 +0000, Yildirim, Suleyman wrote:
> Hi Dmitry,
>
> > Thanks for asking details. It is only OIDC one (https-client). When we hit https://adfslink/adfs/ls/idpinitiatedsignon.aspx, the end goal is to be redirected to our application, which is OIDC. I am not sure about the flow between MS ADFS and OIDC (https-client) though.
>
> MS ADFS --> Which Keycloak entities (clients, IDP broker) are involve 
> here(?) --> OIDC (https-client)

You've depicted it correctly. The problem is, it currently works only if both legs are SAML:

IdP (SAML) ---> Keycloak (broker) ---> SAML Client IdP (SAML) ---> Keycloak (broker) -x-> OIDC Client

This is partially because in the OpenID Connect spec there is no equivalent for "IdP initiated login". However, you can use the following trick to emulate it:
1) the user signs into AD FS;
2) the user clicks the special link pointing to your Keycloak that signs him/her into your OIDC application transparently.

Is that doable, WDYT? I mean to make the user click an auxiliary link after ADFS login?

In fact, it's not the first time I hear about this particular requirement (IdP-initiated login from SAML IdP through Keycloak to OIDC client). Maybe it's right time to suggest a feature idea to the devs. Stay tuned, I'll post it to keycloak-dev soon.

Cheers,
Dmitry

>
> Regards,
> Suleyman
>
> -----Original Message-----
> > From: Dmitry Telegin <dt at acutus.pro>
> Sent: 17 August 2018 16:41
> > To: Yildirim, Suleyman <suleyman.yildirim at accenture.com>; 
> > keycloak-user at lists.jboss.org
> Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error
>
> Suleyman, thanks for the clarifications,
>
> So in your Keycloak you've got two clients: one OIDC and one SAML, and a SAML IdP (ADFS).
> Do you want IdP-initiated SSO from ADFS to both clients? or is it only OIDC one (https-client)?
>
> Dmitry
>
> On Fri, 2018-08-17 at 14:44 +0000, Yildirim, Suleyman wrote:
> > Hi Dmitry,
> >
> > I have been struggling for many days for that😊 I have two clients 
> > and a IDP broker in Keycloak.
> >
> > > https-client: Yes, this is the client that secured the application.
> > > Redirect urls point to our application (https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=IulH-801VXeZdCzc7_zYbgRmhY0S-VuHFBs6Zfr5rCc&s=loKf3waEqd-htgMfrzRVAoZdvYWWfL7LAQ_ALaAmfZo&e= application).It is "resource" : "https-client" in Keycloak.json in AngularJS.
> >
> > saml client: sends SAML request via IDP broker IDP broker: deals 
> > with MS ADFS requests/responses
> >
> > Regards,
> > Suleyman
> >
> > -----Original Message-----
> > > From: Dmitry Telegin <dt at acutus.pro>
> >
> > Sent: 17 August 2018 15:24
> > > > > > To: Yildirim, Suleyman <suleyman.yildirim at accenture.com>;
> > > keycloak-user at lists.jboss.org
> >
> > Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing 
> > Error
> >
> > Hi Suleyman, you're welcome :)
> >
> > Glad your SP-initiated SSO finally worked.
> >
> > As for IdP-initiated SSO, this is also a well-known situation.
> >
> > In a few words, it will work out of the box *only* if you Keycloak client (target application) is also using SAML.
> >
> > You mentioned some "https-client(open_id)", does that mean that the 
> > application is secured by Keycloak OpenID Connect adapter? (Don't 
> > despair, there is a workaround nevertheless.)
> >
> > Dmitry
> >
> > On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote:
> > > Thanks a lot Dmitry,
> > >
> > > It works! When I use my application link, I can successfully get 
> > > SAML response from MS ADFS and redirected to application back. Use case is as below.
> > >
> > > > However, my client wanted to test directly on their MS ADFS 
> > > > using their url (https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs-5Flink_adfs_ls_idpinitiatedsignon.aspx&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=pe8ySJNlKetBMIYwYcaV_1LVhx-aTX2gDdk15e-VbjY&e=). I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked sign in. I am redirected to Keycloak IDP https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplication_auth_realms_springboot-2Dquickstart_broker_myIDPAlias_endpoint&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=0BKswkj_bBt6d0dMqEKurFsuBL0tilkKtemQvb00vYQ&e= and get the Internal Server Error again* but with different error (attached file). I wonder if I need to change any Keycloak settings to enable that.
> > >
> > > Use case:
> > > > > > > > > > 1.  The user visits the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application.
> > > > > > > > > > > > > > 2.  https-client(open_id) finds the user is 
> > > > > > > > > > > > > > not authenticated and generates an XML 
> > > > > > > > > > > > > > authentication request document. It is 
> > > > > > > > > > > > > > redirected to the Keycloak Identity 
> > > > > > > > > > > > > > Provider, of which Single Sign-On Service 
> > > > > > > > > > > > > > URL is configured as 
> > > > > > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=h
> > > > > > > > > > > > > > ttps-3A__client-5Fadfs_adfs_ls_&d=DwIFaQ&c=e
> > > > > > > > > > > > > > IGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r
> > > > > > > > > > > > > > =W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g
> > > > > > > > > > > > > > &m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaev
> > > > > > > > > > > > > > NE&s=wv1iQEWJPlOTFlKSLpfzb6XhnImsHO-7wUi2SCV
> > > > > > > > > > > > > > ZDWQ&e= 3.  The ADFS server extracts the XML 
> > > > > > > > > > > > > > auth request document and verifies the signature. Then, user is redirected to the SAML client in Keycloak server.
> > > > > > > 4.        The user enters the credentials to be authenticated.
> > > > >
> > > > > 5.    After authentication, the Identity Provider generates an XML authentication response document, which contains a SAML assertion that holds metadata about the user like name and email. User is redirected to the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application.
> > >
> > > Regards,
> > > Suleyman
> > >
> > > -----Original Message-----
> > > > From: Dmitry Telegin <dt at acutus.pro>
> > >
> > > Sent: 17 August 2018 00:49
> > > > > > > To: Yildirim, Suleyman <suleyman.yildirim at accenture.com>;
> > > >
> > > > keycloak-user at lists.jboss.org
> > >
> > > Subject: [External] Re: [keycloak-user] IDP SAML Processing Error
> > >
> > > Hi Suleyman,
> > >
> > > You're right, the contents of the Validating X509 Certificates box is invalid, your stacktrace tells that unambiguously. The field is pre- populated once you import FederationMetadata.xml, and you shouldn't change it afterwards.
> > >
> > > To avoid recreating the whole IdP, open your FederationMetadata.xml, find the <ds:X509Certificate> element and copy its value to the box verbatim.
> > >
> > > Good luck!
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote:
> > > > Hi,
> > > >
> > > > I have a "Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider" when get response from MS ADFS server. The route cause of the error is Caused by: java.io.IOException: Short read of DER length. So I suspect that Validating X509 Certificates input box doesn't work as expected in Keycloak: "Certificates must be in PEM format and multiple certificates can be entered by comma (,) ". I have to use Public key and the certificates of the realm separated by comma but I get 500 - Internal Server Error from MS ADFS server and the  error in Keycloak (Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester error. Any idea of how I can proceed?
> > > >
> > > > Details
> > > >
> > > > When I use dummy IDP of Keycloak server, I use https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_auth_realms_springboot-2Dquickstart_protocol_saml&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=x6wk6gvgqtVRyOfMPb1wegC1CZGmu21auzX3iFU-85g&e= as SSO url, "email" as "NameID Policy Format" (Attached file: dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that blog https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_2017_03_how-2Dto-2Dsetup-2Dms-2Dad-2Dfs-2D30-2Das-2Dbrokered.html&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=X9S93qI_kOVUhIWAq4qzd6DkJBfFb5lVIIiFzin9ixg&e= and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything right. Keycloak endpoints, SSL keystore and truststore files are at the right locations and places.
> > > >
> > > > Regards,
> > > > Suleyman
> > > >
> > > >
> > > > ________________________________
> > > >
> > > > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
> > > > ________________________________________________________________
> > > > __
> > > > __
> > > > __
> > > > ________________
> > > >
> > > > www.accenture.com
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss
> > > > .o
> > > > rg
> > > > _m
> > > > ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEH
> > > > XJ
> > > > vU
> > > > 8n
> > > > OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m
> > > > =-
> > > > 8f
> > > > Nn
> > > > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG
> > > > 69
> > > > Wo
> > > > cm
> > > > nmEIzqruzVr9Gg&e=

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user