[keycloak-user] SAMLResponse missing InResponseTo
Chris Byron
byron.chris at gmail.com
Mon Jul 23 12:21:24 EDT 2018
Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have said
up front!)
I am familiar with changing logging levels of the running service using the
jboss cli, but I don't have the ability to build and step through or set
breakpoints. (If it is possible to attach a CLI debugger to a running
instance, please let me know! I have root on the host.)
I doubt this helps, but here is the SAMLResponse from the Request posted
previously:
```
<samlp:Response Destination="
https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd"
IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<dsig:Reference URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
<dsig:Transforms><dsig:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046"
IssueInstant="2018-07-20T23:39:37.055Z"
Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
</saml:Issuer>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
chris.byron at corp.com</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
NotOnOrAfter="2018-07-20T23:44:35.055Z"
Recipient="https://checkmarx.corp.net/cxrestapi/auth/samlAcs
"/></saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2018-07-20T23:39:35.055Z"
NotOnOrAfter="2018-07-20T23:40:35.055Z">
<saml:AudienceRestriction>
<saml:Audience>https://checkmarx.corp.net</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z"
SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute FriendlyName="Last name" Name="Last_Name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Byron</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="First name" Name="First_Name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Chris</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="Email" Name="Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">chris.byron at corp.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
```
On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt at acutus.pro> wrote:
> Hi Chris,
>
> According to the code, an InResponseTo attribute should be added to the
> response unconditionally:
>
> https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java#L168
>
> If you're familiar with debugging, could you please check if this code
> point is reached? If yes, is the InResponseTo value not null?
>
> Also, which version of Keycloak are you using?
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> <https://maps.google.com/?q=Pod+lipami+street+339/52,+130+00+Prague+3,+Czech+Republic&entry=gmail&source=g>
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > Good morning. I'm trying to debug an issue where my Keycloak IdP does not
> > include an InResponseTo attribute in the SAMLResponse after an
> SP-initiated
> > login. Are there certain conditions in the Request that need to be
> > satisfied before it will be included? Or certain client configurations in
> > Keycloak?
> >
> > The SAMLRequest from the SP:
> > ```
> > <saml2p:AuthnRequest
> > AssertionConsumerServiceURL="
> > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > AttributeConsumingServiceIndex="0"
> > Destination="
> >
> https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
> > ID="idda5349fbbbf9483a91ec1531e52933a6"
> > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;
> > </saml2p:AuthnRequest>
> > ```
> >
> > Keycloak client configuration:
> > ```
> > {
> > "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > "clientId": "https://checkmarx.corp.net",
> > "rootUrl": "",
> > > "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> > "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > "surrogateAuthRequired": false,
> > "enabled": true,
> > "clientAuthenticatorType": "client-secret",
> > "redirectUris": [],
> > "webOrigins": [],
> > "notBefore": 0,
> > "bearerOnly": false,
> > "consentRequired": false,
> > "standardFlowEnabled": true,
> > "implicitFlowEnabled": false,
> > "directAccessGrantsEnabled": false,
> > "serviceAccountsEnabled": false,
> > "authorizationServicesEnabled": false,
> > "publicClient": false,
> > "frontchannelLogout": true,
> > "protocol": "saml",
> > "attributes": {
> > "saml.assertion.signature": "false",
> > "saml.force.post.binding": "true",
> > "saml.multivalued.roles": "false",
> > "saml.encrypt": "false",
> > "saml.server.signature": "true",
> > "saml_idp_initiated_sso_url_name": "checkmarx",
> > "saml.server.signature.keyinfo.ext": "false",
> > "saml.signature.algorithm": "RSA_SHA256",
> > "saml_force_name_id_format": "false",
> > "saml.client.signature": "false",
> > "saml.authnstatement": "true",
> > "saml_name_id_format": "email",
> > "saml.onetimeuse.condition": "false",
> > "saml_signature_canonicalization_method": "
> > http://www.w3.org/2001/10/xml-exc-c14n#",
> > "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> > "KEY_ID"
> > },
> > "fullScopeAllowed": false,
> > "nodeReRegistrationTimeout": -1,
> > "useTemplateConfig": false,
> > "useTemplateScope": false,
> > "useTemplateMappers": false,
> > "access": {
> > "view": true,
> > "configure": true,
> > "manage": true
> > }
> > ```
> >
> > Thank you for any help or advice on this! Cheers,
> > Chris Byron
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list