[keycloak-user] SAMLResponse missing InResponseTo

Chris Byron byron.chris at gmail.com
Mon Jul 23 11:37:33 EDT 2018 

Good morning. I'm trying to debug an issue where my Keycloak IdP does not
include an InResponseTo attribute in the SAMLResponse after an SP-initiated
login. Are there certain conditions in the Request that need to be
satisfied before it will be included? Or certain client configurations in
Keycloak?

The SAMLRequest from the SP:
```
<saml2p:AuthnRequest
  AssertionConsumerServiceURL="
https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
  AttributeConsumingServiceIndex="0"
  Destination="
https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
  ID="idda5349fbbbf9483a91ec1531e52933a6"
IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>
</saml2p:AuthnRequest>
```

Keycloak client configuration:
```
{
  "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
  "clientId": "https://checkmarx.corp.net",
  "rootUrl": "",
  "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
  "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
  "surrogateAuthRequired": false,
  "enabled": true,
  "clientAuthenticatorType": "client-secret",
  "redirectUris": [],
  "webOrigins": [],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": false,
  "serviceAccountsEnabled": false,
  "authorizationServicesEnabled": false,
  "publicClient": false,
  "frontchannelLogout": true,
  "protocol": "saml",
  "attributes": {
    "saml.assertion.signature": "false",
    "saml.force.post.binding": "true",
    "saml.multivalued.roles": "false",
    "saml.encrypt": "false",
    "saml.server.signature": "true",
    "saml_idp_initiated_sso_url_name": "checkmarx",
    "saml.server.signature.keyinfo.ext": "false",
    "saml.signature.algorithm": "RSA_SHA256",
    "saml_force_name_id_format": "false",
    "saml.client.signature": "false",
    "saml.authnstatement": "true",
    "saml_name_id_format": "email",
    "saml.onetimeuse.condition": "false",
    "saml_signature_canonicalization_method": "
http://www.w3.org/2001/10/xml-exc-c14n#",
    "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
"KEY_ID"
  },
  "fullScopeAllowed": false,
  "nodeReRegistrationTimeout": -1,
  "useTemplateConfig": false,
  "useTemplateScope": false,
  "useTemplateMappers": false,
  "access": {
    "view": true,
    "configure": true,
    "manage": true
  }
```

Thank you for any help or advice on this! Cheers,
Chris Byron

More information about the keycloak-user mailing list