[keycloak-user] SAMLResponse missing InResponseTo
Chris Byron
byron.chris at gmail.com
Mon Jul 23 18:22:10 EDT 2018
That's a bit too advanced for me. After a few hours spent trying to learn
how to do remote debugging, I returned to code examination, and found the
problem!
I was sending the SAMLRequest to the IdP initiated URL. So Keycloak ignored
the SAMLRequest in the URL and treated it like an IdP initiated login. I
should have been sending to /{realm}/protocol/saml, not
/{realm}/protocol/saml/clients/checkmarx .
On Mon, Jul 23, 2018 at 9:53 AM Dmitry Telegin <dt at acutus.pro> wrote:
> On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote:
> > Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have
> said up front!)
>
> First and foremost, could you please try latest Keycloak (4.1.0)? Maybe
> not upgrading your main instance, but rather installing in parallel. There
> have been some changes to the SAML subsystem since 3.4.X.
>
> > I am familiar with changing logging levels of the running service using
> the jboss cli, but I don't have the ability to build and step through or
> set breakpoints. (If it is possible to attach a CLI debugger to a running
> instance, please let me know! I have root on the host.)
>
> Yes, this is possible - just rerun Keycloak with the "--debug" option, it
> will open a listener on port 8787 (use "--debug <port>" to override).
>
> Then forward this port to your box via SSH and use your favorite IDE
> to attach debugger to localhost:8787 using dt_socket transport (it could be
> also called "SocketAttach connector"). Also, obviously, you'll need to
> checkout the source tree.
>
> Basically, you'll need to determine which code path Keycloak takes to
> generate the response, and, after that, try to understand why the attribute
> is omitted.
>
> Good luck!
> Dmitry
>
> >
> > I doubt this helps, but here is the SAMLResponse from the Request posted
> previously:
> > ```
> > <samlp:Response Destination="
> https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd"
> IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
> > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> > <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
> </saml:Issuer>;
> > > <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">;
> > <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> > <dsig:Reference
> URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
> > <dsig:Transforms><dsig:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> >
> <dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
> > </dsig:Reference>
> > </dsig:SignedInfo>
> >
> <dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
> > <dsig:KeyInfo>
> >
> <dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
> > <dsig:X509Data>
> >
> <dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
> > </dsig:X509Data>
> > <dsig:KeyValue>
> > <dsig:RSAKeyValue>
> >
> <dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
> > <dsig:Exponent>AQAB</dsig:Exponent>
> > </dsig:RSAKeyValue>
> > </dsig:KeyValue>
> > </dsig:KeyInfo>
> > </dsig:Signature>
> > <samlp:Status><samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
> > <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046"
> IssueInstant="2018-07-20T23:39:37.055Z"
> > Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> > <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
> </saml:Issuer>;
> > <saml:Subject>
> > > <saml:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
> chris.byron at corp.com</saml:NameID>
> > <saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
> NotOnOrAfter="2018-07-20T23:44:35.055Z"
> > Recipient="
> https://checkmarx.corp.net/cxrestapi/auth/samlAcs
> "/></saml:SubjectConfirmation>;
> > </saml:Subject>
> > <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z"
> NotOnOrAfter="2018-07-20T23:40:35.055Z">
> > <saml:AudienceRestriction>
> > <saml:Audience>https://checkmarx.corp.net
> </saml:Audience>;
> > </saml:AudienceRestriction>
> > </saml:Conditions>
> > <saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z"
> >
> SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
> > <saml:AuthnContext>
> >
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
> > </saml:AuthnContext>
> > </saml:AuthnStatement>
> > <saml:AttributeStatement>
> > <saml:Attribute FriendlyName="Last name" Name="Last_Name"
> >
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > <saml:AttributeValue xmlns:xs="
> http://www.w3.org/2001/XMLSchema"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">Byron</saml:AttributeValue>
> > </saml:Attribute>
> > <saml:Attribute FriendlyName="First name" Name="First_Name"
> >
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > <saml:AttributeValue xmlns:xs="
> http://www.w3.org/2001/XMLSchema"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">Chris</saml:AttributeValue>
> > </saml:Attribute>
> > <saml:Attribute FriendlyName="Email" Name="Email"
> >
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > <saml:AttributeValue xmlns:xs="
> http://www.w3.org/2001/XMLSchema"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">chris.byron at corp.com</saml:AttributeValue>
> > </saml:Attribute>
> > </saml:AttributeStatement>
> > </saml:Assertion>
> > </samlp:Response>
> > ```
> >
> > > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > > Hi Chris,
> > >
> > > According to the code, an InResponseTo attribute should be added to
> the response unconditionally:
> > >
> https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java#L168
> > >
> > > If you're familiar with debugging, could you please check if this code
> point is reached? If yes, is the InResponseTo value not null?
> > >
> > > Also, which version of Keycloak are you using?
> > >
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > > > Good morning. I'm trying to debug an issue where my Keycloak IdP
> does not
> > > > include an InResponseTo attribute in the SAMLResponse after an
> SP-initiated
> > > > login. Are there certain conditions in the Request that need to be
> > > > satisfied before it will be included? Or certain client
> configurations in
> > > > Keycloak?
> > > >
> > > > The SAMLRequest from the SP:
> > > > ```
> > > > <saml2p:AuthnRequest
> > > > AssertionConsumerServiceURL="
> > > > > > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > > AttributeConsumingServiceIndex="0"
> > > > Destination="
> > > >
> https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
> > > > ID="idda5349fbbbf9483a91ec1531e52933a6"
> > > > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> > > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;;
> > > > </saml2p:AuthnRequest>
> > > > ```
> > > >
> > > > Keycloak client configuration:
> > > > ```
> > > > {
> > > > "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > > > > > "clientId": "https://checkmarx.corp.net",
> > > > "rootUrl": "",
> > > > > "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> > > > "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > > > "surrogateAuthRequired": false,
> > > > "enabled": true,
> > > > "clientAuthenticatorType": "client-secret",
> > > > "redirectUris": [],
> > > > "webOrigins": [],
> > > > "notBefore": 0,
> > > > "bearerOnly": false,
> > > > "consentRequired": false,
> > > > "standardFlowEnabled": true,
> > > > "implicitFlowEnabled": false,
> > > > "directAccessGrantsEnabled": false,
> > > > "serviceAccountsEnabled": false,
> > > > "authorizationServicesEnabled": false,
> > > > "publicClient": false,
> > > > "frontchannelLogout": true,
> > > > "protocol": "saml",
> > > > "attributes": {
> > > > "saml.assertion.signature": "false",
> > > > "saml.force.post.binding": "true",
> > > > "saml.multivalued.roles": "false",
> > > > "saml.encrypt": "false",
> > > > "saml.server.signature": "true",
> > > > "saml_idp_initiated_sso_url_name": "checkmarx",
> > > > "saml.server.signature.keyinfo.ext": "false",
> > > > "saml.signature.algorithm": "RSA_SHA256",
> > > > "saml_force_name_id_format": "false",
> > > > "saml.client.signature": "false",
> > > > "saml.authnstatement": "true",
> > > > "saml_name_id_format": "email",
> > > > "saml.onetimeuse.condition": "false",
> > > > "saml_signature_canonicalization_method": "
> > > > > > http://www.w3.org/2001/10/xml-exc-c14n#",
> > > > "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> > > > "KEY_ID"
> > > > },
> > > > "fullScopeAllowed": false,
> > > > "nodeReRegistrationTimeout": -1,
> > > > "useTemplateConfig": false,
> > > > "useTemplateScope": false,
> > > > "useTemplateMappers": false,
> > > > "access": {
> > > > "view": true,
> > > > "configure": true,
> > > > "manage": true
> > > > }
> > > > ```
> > > >
> > > > Thank you for any help or advice on this! Cheers,
> > > > Chris Byron
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
>
More information about the keycloak-user
mailing list