[keycloak-user] SAML doesn't work when logging in through Identity Providers

Kristi Nikolla knikolla at bu.edu
Tue Feb 6 14:06:34 EST 2018


Hi Drew,

I’m on 3.4.1.CR1. I’ll keep my eyes open for the 4.0 release. Is there an ETA?

Thank you,
Kristi

> On Feb 6, 2018, at 1:51 PM, Drew Weirshousky <d.weirshousky at xsb.com> wrote:
> 
> Hi Kristi,
> 
>  I believe there are some fixes coming for SAML in Keycloak 4.0 related to this.  I am assuming you are using Keycloak > 3.2.
> 
> Drew Weirshousky
> 
> ----- Original Message -----
> From: "Kristi Nikolla" <knikolla at bu.edu>
> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Tuesday, February 6, 2018 1:26:14 PM
> Subject: [keycloak-user] SAML doesn't work when logging in through Identity	Providers
> 
> Hi,
> 
> I’ve recently setup Keycloak for SSO in our organization. I’m using two docker containers in standalone-ha with Apache as a proxy. I’ve allowed GitHub, and an external SAML provider for logging in, and everything works fine. Users are able to login to the account page, and login to our OpenID Connect and OAuth2 clients.
> 
> The issue is when using a SAML client.
> 
> Login works perfectly fine with SAML/Shibboleth when using the username/password field in Keycloak. It also works perfectly with an existing session regardless of login method.
> 
> It doesn’t work however when login is first initiated through the SAML client with Shibboleth. User is redirected to Keycloak, they click GitHub/University Login, input their credentials in the external IdP, and come back to Keycloak to be greeted with a "An error occurred, please login again through your application.” The error is the same regardless if Github (OAuth) or University Login (SAML) is used, but works perfectly when using username and password directly in Keycloak.
> 
> The only thing that I see in the logs is:
> 21:54:01,682 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=moc, clientId=null, userId=null, ipAddress=155.41.80.192, error=invalid_code
> 
> Even turning on debug logging doesn’t provide anything useful.
> 
> Thank you,
> Kristi Nikolla
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180206/29954da4/attachment.bin 


More information about the keycloak-user mailing list