[keycloak-user] SAMLResponse missing InResponseTo
Hynek Mlnarik
hmlnarik at redhat.com
Tue Jul 24 06:19:06 EDT 2018
Hi Chris,
you seem to have hit a bug. Could you please file a JIRA with this
description and set its Component to Protocol - SAML?
And thanks for your help so far, Dmitry
--Hynek
On Tue, Jul 24, 2018 at 1:33 AM Chris Byron <byron.chris at gmail.com> wrote:
> Thanks, Dmitry. That said, as soon as I verified that SP-initiated was
> working, the opposite failure started! After doing an SP-init login, I can
> no longer perform IdP-init login because it sends the InResponseTo
> attribute when it should not!
>
> When I first log in to Keycloak I can do IdP-initiated login. If I log out
> of the service I can also do SP-initiated. But after doing a successful
> SP-initiated login, the Keycloak server seems to remember the SAMLRequest
> ID and sends it for each subsequent IdP initiated login, that is, when I
> use ` /{realm}/protocol/saml/clients/checkmarx`.
>
> This persists until I log out of Keycloak. I assume it's something obvious,
> but any help would be appreciated.
>
> Cheers,
> Chris
>
> On Mon, Jul 23, 2018 at 4:00 PM Dmitry Telegin <dt at acutus.pro> wrote:
>
> > On Mon, 2018-07-23 at 15:22 -0700, Chris Byron wrote:
> >
> > That's a bit too advanced for me. After a few hours spent trying to learn
> > how to do remote debugging, I returned to code examination, and found the
> > problem!
> >
> >
> > Glad you've found the answer, and sorry for having mislead you.
> > Nevertheless, remote debugging is a must-have skill, I hope one day
> you'll
> > make use of it and remember this day :)
> >
> > I was sending the SAMLRequest to the IdP initiated URL. So
> > Keycloak ignored the SAMLRequest in the URL and treated it like an IdP
> > initiated login. I should have been sending to /{realm}/protocol/saml,
> not
> > /{realm}/protocol/saml/clients/checkmarx .
> >
> >
> > My bad, it was easy to overlook the suspicious Destination="..." in all
> > that XML. As the doc says, "SAML tends to be *a bit* more verbose than
> > OIDC." (is that "a bit" an irony?) :-D
> >
> > Cheers and good luck with Keycloak,
> > Dmitry
> >
> >
> > On Mon, Jul 23, 2018 at 9:53 AM Dmitry Telegin <dt at acutus.pro> wrote:
> >
> > On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote:
> > > Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have
> > said up front!)
> >
> > First and foremost, could you please try latest Keycloak (4.1.0)? Maybe
> > not upgrading your main instance, but rather installing in parallel.
> There
> > have been some changes to the SAML subsystem since 3.4.X.
> >
> > > I am familiar with changing logging levels of the running service using
> > the jboss cli, but I don't have the ability to build and step through or
> > set breakpoints. (If it is possible to attach a CLI debugger to a running
> > instance, please let me know! I have root on the host.)
> >
> > Yes, this is possible - just rerun Keycloak with the "--debug" option, it
> > will open a listener on port 8787 (use "--debug <port>" to override).
> >
> > Then forward this port to your box via SSH and use your favorite IDE
> > to attach debugger to localhost:8787 using dt_socket transport (it could
> be
> > also called "SocketAttach connector"). Also, obviously, you'll need to
> > checkout the source tree.
> >
> > Basically, you'll need to determine which code path Keycloak takes to
> > generate the response, and, after that, try to understand why the
> attribute
> > is omitted.
> >
> > Good luck!
> > Dmitry
> >
> > >
> > > I doubt this helps, but here is the SAMLResponse from the Request
> posted
> > previously:
> > > ```
> > > <samlp:Response Destination="
> > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd"
> > IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
> > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> > > <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
> > </saml:Issuer>;;
> > > > <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#
> ">;;
> > > <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod
> > <http://www.w3.org/2001/10/xml-exc-c14n#> Algorithm="
> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> > > <dsig:Reference
> > URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
> > > <dsig:Transforms><dsig:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
> "/></dsig:Transforms><dsig:DigestMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> > >
> >
> <dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
> > > </dsig:Reference>
> > > </dsig:SignedInfo>
> > >
> >
> <dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
> > > <dsig:KeyInfo>
> > >
> > <dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
> > > <dsig:X509Data>
> > >
> >
> <dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
> > > </dsig:X509Data>
> > > <dsig:KeyValue>
> > > <dsig:RSAKeyValue>
> > >
> >
> <dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
> > > <dsig:Exponent>AQAB</dsig:Exponent>
> > > </dsig:RSAKeyValue>
> > > </dsig:KeyValue>
> > > </dsig:KeyInfo>
> > > </dsig:Signature>
> > > <samlp:Status><samlp:StatusCode
> > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
> > > <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046"
> > IssueInstant="2018-07-20T23:39:37.055Z"
> > > Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> > > <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
> > </saml:Issuer>;;
> > > <saml:Subject>
> > > > <saml:NameID
> > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
> > chris.byron at corp.com</saml:NameID>
> > > <saml:SubjectConfirmation
> >
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
> > NotOnOrAfter="2018-07-20T23:44:35.055Z"
> > > Recipient="
> > https://checkmarx.corp.net/cxrestapi/auth/samlAcs
> > "/></saml:SubjectConfirmation>;;
> > > </saml:Subject>
> > > <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z"
> > NotOnOrAfter="2018-07-20T23:40:35.055Z">
> > > <saml:AudienceRestriction>
> > > <saml:Audience>https://checkmarx.corp.net
> > </saml:Audience>;;
> > > </saml:AudienceRestriction>
> > > </saml:Conditions>
> > > <saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z"
> > >
> >
> SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
> > > <saml:AuthnContext>
> > >
> >
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
> > > </saml:AuthnContext>
> > > </saml:AuthnStatement>
> > > <saml:AttributeStatement>
> > > <saml:Attribute FriendlyName="Last name" Name="Last_Name"
> > >
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > > <saml:AttributeValue xmlns:xs="
> > http://www.w3.org/2001/XMLSchema"
> > > xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> > xsi:type="xs:string">Byron</saml:AttributeValue>
> > > </saml:Attribute>
> > > <saml:Attribute FriendlyName="First name" Name="First_Name"
> > >
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > > <saml:AttributeValue xmlns:xs="
> > http://www.w3.org/2001/XMLSchema"
> > > xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> > xsi:type="xs:string">Chris</saml:AttributeValue>
> > > </saml:Attribute>
> > > <saml:Attribute FriendlyName="Email" Name="Email"
> > >
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > > <saml:AttributeValue xmlns:xs="
> > http://www.w3.org/2001/XMLSchema"
> > > xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> > xsi:type="xs:string">chris.byron at corp.com</saml:AttributeValue>
> > > </saml:Attribute>
> > > </saml:AttributeStatement>
> > > </saml:Assertion>
> > > </samlp:Response>
> > > ```
> > >
> > > > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt at acutus.pro>
> wrote:
> > > > Hi Chris,
> > > >
> > > > According to the code, an InResponseTo attribute should be added to
> > the response unconditionally:
> > > >
> >
> https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java#L168
> > > >
> > > > If you're familiar with debugging, could you please check if this
> code
> > point is reached? If yes, is the InResponseTo value not null?
> > > >
> > > > Also, which version of Keycloak are you using?
> > > >
> > > > Cheers,
> > > > Dmitry Telegin
> > > > CTO, Acutus s.r.o.
> > > > Keycloak Consulting and Training
> > > >
> > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > <
> https://maps.google.com/?q=Pod+lipami+street+339/52,+130+00+Prague+3,+Czech+Republic&entry=gmail&source=g
> >
> > > > +42 (022) 888-30-71
> > > > E-mail: info at acutus.pro
> > > >
> > > > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > > > > Good morning. I'm trying to debug an issue where my Keycloak IdP
> > does not
> > > > > include an InResponseTo attribute in the SAMLResponse after an
> > SP-initiated
> > > > > login. Are there certain conditions in the Request that need to be
> > > > > satisfied before it will be included? Or certain client
> > configurations in
> > > > > Keycloak?
> > > > >
> > > > > The SAMLRequest from the SP:
> > > > > ```
> > > > > <saml2p:AuthnRequest
> > > > > AssertionConsumerServiceURL="
> > > > > > > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > > > AttributeConsumingServiceIndex="0"
> > > > > Destination="
> > > > >
> >
> https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
> > > > > ID="idda5349fbbbf9483a91ec1531e52933a6"
> > > > > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> > > > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > > > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > > > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;;;
> > > > > </saml2p:AuthnRequest>
> > > > > ```
> > > > >
> > > > > Keycloak client configuration:
> > > > > ```
> > > > > {
> > > > > "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > > > > > > "clientId": "https://checkmarx.corp.net",
> > > > > "rootUrl": "",
> > > > > > "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs
> ",
> > > > > "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > > > > "surrogateAuthRequired": false,
> > > > > "enabled": true,
> > > > > "clientAuthenticatorType": "client-secret",
> > > > > "redirectUris": [],
> > > > > "webOrigins": [],
> > > > > "notBefore": 0,
> > > > > "bearerOnly": false,
> > > > > "consentRequired": false,
> > > > > "standardFlowEnabled": true,
> > > > > "implicitFlowEnabled": false,
> > > > > "directAccessGrantsEnabled": false,
> > > > > "serviceAccountsEnabled": false,
> > > > > "authorizationServicesEnabled": false,
> > > > > "publicClient": false,
> > > > > "frontchannelLogout": true,
> > > > > "protocol": "saml",
> > > > > "attributes": {
> > > > > "saml.assertion.signature": "false",
> > > > > "saml.force.post.binding": "true",
> > > > > "saml.multivalued.roles": "false",
> > > > > "saml.encrypt": "false",
> > > > > "saml.server.signature": "true",
> > > > > "saml_idp_initiated_sso_url_name": "checkmarx",
> > > > > "saml.server.signature.keyinfo.ext": "false",
> > > > > "saml.signature.algorithm": "RSA_SHA256",
> > > > > "saml_force_name_id_format": "false",
> > > > > "saml.client.signature": "false",
> > > > > "saml.authnstatement": "true",
> > > > > "saml_name_id_format": "email",
> > > > > "saml.onetimeuse.condition": "false",
> > > > > "saml_signature_canonicalization_method": "
> > > > > > > http://www.w3.org/2001/10/xml-exc-c14n#",
> > > > >
> "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> > > > > "KEY_ID"
> > > > > },
> > > > > "fullScopeAllowed": false,
> > > > > "nodeReRegistrationTimeout": -1,
> > > > > "useTemplateConfig": false,
> > > > > "useTemplateScope": false,
> > > > > "useTemplateMappers": false,
> > > > > "access": {
> > > > > "view": true,
> > > > > "configure": true,
> > > > > "manage": true
> > > > > }
> > > > > ```
> > > > >
> > > > > Thank you for any help or advice on this! Cheers,
> > > > > Chris Byron
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list