[keycloak-user] SAMLResponse missing InResponseTo
Dmitry Telegin
dt at acutus.pro
Mon Jul 23 21:10:06 EDT 2018
On Mon, 2018-07-23 at 16:25 -0700, Chris Byron wrote:
> Thanks, Dmitry. That said, as soon as I verified that SP-initiated was working, the opposite failure started! After doing an SP-init login, I can no longer perform IdP-init login because it sends the InResponseTo attribute when it should not!
Oh ZOMG. Do I get it right that:
- you're able to successfully login via SP-initiated SSO;
- then you try IDP-initiated via the " /{realm}/protocol/saml/clients/checkmarx" special URL;
- this results in Keycloak sending SAML response with assertion to your SP (specifically, to SP's assertion consumer URL);
- SP barfs on the irrelevant InResponseTo?
If so, probably you've found a bug. CCing our SAML guru Hynek Mlnarik.
And BTW, the situation seems to be known to other SAML implementors: https://github.com/onelogin/java-saml/issues/62
Interesting part is:
> The SAML Core spec (line 1605), and the SAML profiles spec (line 634)
> say that if the InResponseAttribute is present it MUST match the
> value of the corresponding request's ID attribute. Further section
> 4.1.5 of the SAML profiles spec says that an unsolicited response
> (i.e. IdP initiated), MUST NOT contain a InResposeTo attribute (line
> 694)
Dmitry
>
> When I first log in to Keycloak I can do IdP-initiated login. If I log out of the service I can also do SP-initiated. But after doing a successful SP-initiated login, the Keycloak server seems to remember the SAMLRequest ID and sends it for each subsequent IdP initiated login, that is, when I use ` /{realm}/protocol/saml/clients/checkmarx`.
>
> This persists until I log out of Keycloak. I assume it's something obvious, but any help would be appreciated.
>
> Cheers,
> Chris
>
> > On Mon, Jul 23, 2018 at 4:00 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > On Mon, 2018-07-23 at 15:22 -0700, Chris Byron wrote:
> > > That's a bit too advanced for me. After a few hours spent trying to learn how to do remote debugging, I returned to code examination, and found the problem!
> >
> > Glad you've found the answer, and sorry for having mislead you. Nevertheless, remote debugging is a must-have skill, I hope one day you'll make use of it and remember this day :)
> >
> > > I was sending the SAMLRequest to the IdP initiated URL. So Keycloak ignored the SAMLRequest in the URL and treated it like an IdP initiated login. I should have been sending to /{realm}/protocol/saml, not /{realm}/protocol/saml/clients/checkmarx .
> >
> > My bad, it was easy to overlook the suspicious Destination="..." in all that XML. As the doc says, "SAML tends to be a bit more verbose than OIDC." (is that "a bit" an irony?) :-D
> >
> > Cheers and good luck with Keycloak,
> > Dmitry
> >
> > > > > > On Mon, Jul 23, 2018 at 9:53 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > > > On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote:
> > > > > Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have said up front!)
> > > >
> > > > First and foremost, could you please try latest Keycloak (4.1.0)? Maybe not upgrading your main instance, but rather installing in parallel. There have been some changes to the SAML subsystem since 3.4.X.
> > > >
> > > > > I am familiar with changing logging levels of the running service using the jboss cli, but I don't have the ability to build and step through or set breakpoints. (If it is possible to attach a CLI debugger to a running instance, please let me know! I have root on the host.)
> > > >
> > > > Yes, this is possible - just rerun Keycloak with the "--debug" option, it will open a listener on port 8787 (use "--debug <port>" to override).
> > > >
> > > > Then forward this port to your box via SSH and use your favorite IDE to attach debugger to localhost:8787 using dt_socket transport (it could be also called "SocketAttach connector"). Also, obviously, you'll need to checkout the source tree.
> > > >
> > > > Basically, you'll need to determine which code path Keycloak takes to generate the response, and, after that, try to understand why the attribute is omitted.
> > > >
> > > > Good luck!
> > > > Dmitry
> > > >
> > > > >
> > > > > I doubt this helps, but here is the SAMLResponse from the Request posted previously:
> > > > > ```
> > > > > <samlp:Response Destination="https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > > > ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd" IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
> > > > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> > > > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml:Issuer>;;;
> > > > > > <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">;;;
> > > > > <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> > > > > <dsig:Reference URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
> > > > > <dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> > > > > <dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
> > > > > </dsig:Reference>
> > > > > </dsig:SignedInfo>
> > > > > <dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
> > > > > <dsig:KeyInfo>
> > > > > <dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
> > > > > <dsig:X509Data>
> > > > > <dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
> > > > > </dsig:X509Data>
> > > > > <dsig:KeyValue>
> > > > > <dsig:RSAKeyValue>
> > > > > <dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
> > > > > <dsig:Exponent>AQAB</dsig:Exponent>
> > > > > </dsig:RSAKeyValue>
> > > > > </dsig:KeyValue>
> > > > > </dsig:KeyInfo>
> > > > > </dsig:Signature>
> > > > > <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
> > > > > <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046" IssueInstant="2018-07-20T23:39:37.055Z"
> > > > > Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> > > > > <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml:Issuer>;;;
> > > > > <saml:Subject>
> > > > > > > > > > <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">chris.byron at corp.com</saml:NameID>
> > > > > <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2018-07-20T23:44:35.055Z"
> > > > > Recipient="https://checkmarx.corp.net/cxrestapi/auth/samlAcs"/></saml:SubjectConfirmation>;;;
> > > > > </saml:Subject>
> > > > > <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z" NotOnOrAfter="2018-07-20T23:40:35.055Z">
> > > > > <saml:AudienceRestriction>
> > > > > <saml:Audience>https://checkmarx.corp.net</saml:Audience>;;;
> > > > > </saml:AudienceRestriction>
> > > > > </saml:Conditions>
> > > > > <saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z"
> > > > > SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
> > > > > <saml:AuthnContext>
> > > > > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
> > > > > </saml:AuthnContext>
> > > > > </saml:AuthnStatement>
> > > > > <saml:AttributeStatement>
> > > > > <saml:Attribute FriendlyName="Last name" Name="Last_Name"
> > > > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > > > > <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Byron</saml:AttributeValue>
> > > > > </saml:Attribute>
> > > > > <saml:Attribute FriendlyName="First name" Name="First_Name"
> > > > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > > > > <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Chris</saml:AttributeValue>
> > > > > </saml:Attribute>
> > > > > <saml:Attribute FriendlyName="Email" Name="Email"
> > > > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > > > > <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">chris.byron at corp.com</saml:AttributeValue>
> > > > > </saml:Attribute>
> > > > > </saml:AttributeStatement>
> > > > > </saml:Assertion>
> > > > > </samlp:Response>
> > > > > ```
> > > > >
> > > > > > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > > > > > Hi Chris,
> > > > > >
> > > > > > According to the code, an InResponseTo attribute should be added to the response unconditionally:
> > > > > > https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java#L168
> > > > > >
> > > > > > If you're familiar with debugging, could you please check if this code point is reached? If yes, is the InResponseTo value not null?
> > > > > >
> > > > > > Also, which version of Keycloak are you using?
> > > > > >
> > > > > > Cheers,
> > > > > > Dmitry Telegin
> > > > > > CTO, Acutus s.r.o.
> > > > > > Keycloak Consulting and Training
> > > > > >
> > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > > > +42 (022) 888-30-71
> > > > > > E-mail: info at acutus.pro
> > > > > >
> > > > > > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > > > > > > Good morning. I'm trying to debug an issue where my Keycloak IdP does not
> > > > > > > include an InResponseTo attribute in the SAMLResponse after an SP-initiated
> > > > > > > login. Are there certain conditions in the Request that need to be
> > > > > > > satisfied before it will be included? Or certain client configurations in
> > > > > > > Keycloak?
> > > > > > >
> > > > > > > The SAMLRequest from the SP:
> > > > > > > ```
> > > > > > > <saml2p:AuthnRequest
> > > > > > > AssertionConsumerServiceURL="
> > > > > > > > > > > > > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > > > > > AttributeConsumingServiceIndex="0"
> > > > > > > Destination="
> > > > > > > https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
> > > > > > > ID="idda5349fbbbf9483a91ec1531e52933a6"
> > > > > > > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> > > > > > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > > > > > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > > > > > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;;;;
> > > > > > > </saml2p:AuthnRequest>
> > > > > > > ```
> > > > > > >
> > > > > > > Keycloak client configuration:
> > > > > > > ```
> > > > > > > {
> > > > > > > "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > > > > > > > > > > > > "clientId": "https://checkmarx.corp.net",
> > > > > > > "rootUrl": "",
> > > > > > > > "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> > > > > > > "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > > > > > > "surrogateAuthRequired": false,
> > > > > > > "enabled": true,
> > > > > > > "clientAuthenticatorType": "client-secret",
> > > > > > > "redirectUris": [],
> > > > > > > "webOrigins": [],
> > > > > > > "notBefore": 0,
> > > > > > > "bearerOnly": false,
> > > > > > > "consentRequired": false,
> > > > > > > "standardFlowEnabled": true,
> > > > > > > "implicitFlowEnabled": false,
> > > > > > > "directAccessGrantsEnabled": false,
> > > > > > > "serviceAccountsEnabled": false,
> > > > > > > "authorizationServicesEnabled": false,
> > > > > > > "publicClient": false,
> > > > > > > "frontchannelLogout": true,
> > > > > > > "protocol": "saml",
> > > > > > > "attributes": {
> > > > > > > "saml.assertion.signature": "false",
> > > > > > > "saml.force.post.binding": "true",
> > > > > > > "saml.multivalued.roles": "false",
> > > > > > > "saml.encrypt": "false",
> > > > > > > "saml.server.signature": "true",
> > > > > > > "saml_idp_initiated_sso_url_name": "checkmarx",
> > > > > > > "saml.server.signature.keyinfo.ext": "false",
> > > > > > > "saml.signature.algorithm": "RSA_SHA256",
> > > > > > > "saml_force_name_id_format": "false",
> > > > > > > "saml.client.signature": "false",
> > > > > > > "saml.authnstatement": "true",
> > > > > > > "saml_name_id_format": "email",
> > > > > > > "saml.onetimeuse.condition": "false",
> > > > > > > "saml_signature_canonicalization_method": "
> > > > > > > > > > > > > http://www.w3.org/2001/10/xml-exc-c14n#",
> > > > > > > "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> > > > > > > "KEY_ID"
> > > > > > > },
> > > > > > > "fullScopeAllowed": false,
> > > > > > > "nodeReRegistrationTimeout": -1,
> > > > > > > "useTemplateConfig": false,
> > > > > > > "useTemplateScope": false,
> > > > > > > "useTemplateMappers": false,
> > > > > > > "access": {
> > > > > > > "view": true,
> > > > > > > "configure": true,
> > > > > > > "manage": true
> > > > > > > }
> > > > > > > ```
> > > > > > >
> > > > > > > Thank you for any help or advice on this! Cheers,
> > > > > > > Chris Byron
> > > > > > > _______________________________________________
> > > > > > > keycloak-user mailing list
> > > > > > > keycloak-user at lists.jboss.org
> > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > >
> > > >
More information about the keycloak-user
mailing list