[keycloak-user] SAML client brokering to a SAML provider

Victor Bail victor.bail at gmail.com
Tue Jul 17 21:00:22 EDT 2018 

Hi all,

I'm trying to configure a client with SAML that authenticates in a keycloak
provider going through a keycloak broker (keycloak provider and keycloak
broker are in the same server in different realms).
Client is a wildfly 11 using the keycloak-SAML adapter. Broker and provider
are using keycloak 4.1.0.
I have achieved an OIDC client connecting through the broker to the SAML
provider, but I'm not able to do it with a SAML client.

In the client, I have this configuration in the wildfly standalone.xml:

            <secure-deployment name="TestClientKeyCloakSAML.war">
                <SP entityID="Broker" sslPolicy="EXTERNAL" logoutPage="
http://localhost:8280/auth/realms/Broker/protocol/saml">
                    <Keys>
                        <Key signing="true">
                            <PrivateKeyPem></PrivateKeyPem>
                          <CertificatePem></CertificatePem>
                        </Key>
                    </Keys>
                    <IDP entityID="idp" signatureAlgorithm="RSA_SHA256"
signatureCanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <SingleSignOnService signRequest="true"
validateResponseSignature="true" validateAssertionSignature="false"
requestBinding="POST" bindingUrl="
http://localhost:8280/auth/realms/Broker/protocol/saml"/>
                        <SingleLogoutService
validateRequestSignature="true" validateResponseSignature="true"
signRequest="true" signResponse="true" requestBinding="POST"
responseBinding="POST" postBindingUrl="
http://localhost:8280/auth/realms/Broker/protocol/saml" redirectBindingUrl="
http://localhost:8280/auth/realms/Broker/protocol/saml"/>
                    </IDP>
                </SP>
            </secure-deployment>

The Identity Provider in the broker realm has this configuration:
  -SSO service URL: http://localhost:8180/auth/realms/Athens/protocol/saml

And the SAML client has this configuration:
 -Client ID: http://localhost:8280/auth/realms/Broker
 -Client Protocol: SAML
 -Master SAML processing URL:
http://localhost:8080/TestClientKeyCloakSAML/saml


If we login from the client, we can go trough the broker and login in the
provider, but the response from the provider arrives to the broker and
returns this error:
  10:22:00,529 WARN  [org.keycloak.protocol.saml.SamlService] (default
task-20) Unknown saml response.
  10:22:00,529 WARN  [org.keycloak.protocol.saml.SamlService] (default
task-20) UserSession is not tagged as logging out.
  10:22:00,529 WARN  [org.keycloak.events] (default task-20)
type=LOGOUT_ERROR, realmId=Broker, clientId=null, userId=null,
ipAddress=127.0.0.1, error=invalid_logout_response

The problem is that the response is arriving to
SAMLService.BindingProtocol.handleSamlResponse and it seems that that
method only handles logout responses.

What is the configuration needed to authenticate a SAML client through a
broker to a SAML provider?

Thanks!

Victor.

More information about the keycloak-user mailing list