[keycloak-user] SAMLResponse missing InResponseTo
Dmitry Telegin
dt at acutus.pro
Mon Jul 23 12:11:15 EDT 2018
Hi Chris,
According to the code, an InResponseTo attribute should be added to the response unconditionally:
https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java#L168
If you're familiar with debugging, could you please check if this code point is reached? If yes, is the InResponseTo value not null?
Also, which version of Keycloak are you using?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> Good morning. I'm trying to debug an issue where my Keycloak IdP does not
> include an InResponseTo attribute in the SAMLResponse after an SP-initiated
> login. Are there certain conditions in the Request that need to be
> satisfied before it will be included? Or certain client configurations in
> Keycloak?
>
> The SAMLRequest from the SP:
> ```
> <saml2p:AuthnRequest
> AssertionConsumerServiceURL="
> https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> AttributeConsumingServiceIndex="0"
> Destination="
> https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
> ID="idda5349fbbbf9483a91ec1531e52933a6"
> IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;
> </saml2p:AuthnRequest>
> ```
>
> Keycloak client configuration:
> ```
> {
> "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > "clientId": "https://checkmarx.corp.net",
> "rootUrl": "",
> > "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> "surrogateAuthRequired": false,
> "enabled": true,
> "clientAuthenticatorType": "client-secret",
> "redirectUris": [],
> "webOrigins": [],
> "notBefore": 0,
> "bearerOnly": false,
> "consentRequired": false,
> "standardFlowEnabled": true,
> "implicitFlowEnabled": false,
> "directAccessGrantsEnabled": false,
> "serviceAccountsEnabled": false,
> "authorizationServicesEnabled": false,
> "publicClient": false,
> "frontchannelLogout": true,
> "protocol": "saml",
> "attributes": {
> "saml.assertion.signature": "false",
> "saml.force.post.binding": "true",
> "saml.multivalued.roles": "false",
> "saml.encrypt": "false",
> "saml.server.signature": "true",
> "saml_idp_initiated_sso_url_name": "checkmarx",
> "saml.server.signature.keyinfo.ext": "false",
> "saml.signature.algorithm": "RSA_SHA256",
> "saml_force_name_id_format": "false",
> "saml.client.signature": "false",
> "saml.authnstatement": "true",
> "saml_name_id_format": "email",
> "saml.onetimeuse.condition": "false",
> "saml_signature_canonicalization_method": "
> http://www.w3.org/2001/10/xml-exc-c14n#",
> "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> "KEY_ID"
> },
> "fullScopeAllowed": false,
> "nodeReRegistrationTimeout": -1,
> "useTemplateConfig": false,
> "useTemplateScope": false,
> "useTemplateMappers": false,
> "access": {
> "view": true,
> "configure": true,
> "manage": true
> }
> ```
>
> Thank you for any help or advice on this! Cheers,
> Chris Byron
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list