[keycloak-user] SAML doesn't work when logging in through Identity Providers

Kristi Nikolla knikolla at bu.edu
Tue Feb 6 13:26:14 EST 2018


Hi,

I’ve recently setup Keycloak for SSO in our organization. I’m using two docker containers in standalone-ha with Apache as a proxy. I’ve allowed GitHub, and an external SAML provider for logging in, and everything works fine. Users are able to login to the account page, and login to our OpenID Connect and OAuth2 clients.

The issue is when using a SAML client.

Login works perfectly fine with SAML/Shibboleth when using the username/password field in Keycloak. It also works perfectly with an existing session regardless of login method.

It doesn’t work however when login is first initiated through the SAML client with Shibboleth. User is redirected to Keycloak, they click GitHub/University Login, input their credentials in the external IdP, and come back to Keycloak to be greeted with a "An error occurred, please login again through your application.” The error is the same regardless if Github (OAuth) or University Login (SAML) is used, but works perfectly when using username and password directly in Keycloak.

The only thing that I see in the logs is:
21:54:01,682 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=moc, clientId=null, userId=null, ipAddress=155.41.80.192, error=invalid_code

Even turning on debug logging doesn’t provide anything useful.

Thank you,
Kristi Nikolla
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180206/a9c3b1b7/attachment.bin 


More information about the keycloak-user mailing list