[keycloak-user] Unable to process SAML response from Azure AD

Lynxlogic info at lynxlogic.com
Wed May 16 08:12:58 EDT 2018 

Thanks for the info Luis. I was getting this error when using Azure’s ‘Test SAML Settings’ tool. Apparently when testing that way the attributes you mentioned are omitted from the SAML response. If I follow a normal login flow it works.

However, I’m unable to get single sign out to work. If I turn on backchannel logout, then when I sign out from keycloak I’m not signed out from Azure. If I turn this off, keycloak sends a SAML request on logout, but Azure complaints that it is invalid. Azure’s documentation says that the sign out URL should be configured as, 'https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0’. If I hit this URL manually I do get signed out of Azure, but if I specify that URL as the ‘Single Logout Service URL’ in the identity provider setup, Keycloak seems to ignore it. The behavior is the same with or without that setting - Keycloak does not redirect to that URL.

David

> On May 16, 2018, at 04:00, Luis Rodríguez Fernández <uo67113 at gmail.com> wrote:
> 
> Hello David,
> 
> Me, in your <samlp:Response> I am missing a couple of attributes:
> 
> Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
> InResponseTo="ID_99d1aa37-7ed7-4565-90b4-19ed50d38489"
> 
> Probably "consent" one is not causing the issue, but "inresponseto"
> contains the id of the AuthRequest sent by keycloak, and maybe keycloak
> wants to verify it. My setup is keycloak SP and ADFS2 IdP (very similar to
> yours BTW). You can have a look here to one of the ADFS2 responses:
> https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a <https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a>
> 
> Hope it helps,
> 
> Luis
> 
> 2018-05-16 3:06 GMT+02:00 Lynxlogic <info at lynxlogic.com <mailto:info at lynxlogic.com>>:
> 
>> I’m trying to setup SAML SSO between Azure AD and Keycloak. On the
>> redirect back after auth, Keycloak is failing to process the response and
>> generates an internal server error:
>> 
>> 00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
>> (default task-5) Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException:
>> Could not process response from SAML identity provider.
>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
>> SAMLEndpoint.java:444)
>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(
>> SAMLEndpoint.java:479)
>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
>> SAMLEndpoint.java:237)
>> at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
>> SAMLEndpoint.java:157)
>> .
>> .
>> .
>> Caused by: java.lang.NullPointerException
>> at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
>> at java.util.regex.Matcher.reset(Matcher.java:309)
>> at java.util.regex.Matcher.<init>(Matcher.java:229)
>> at java.util.regex.Pattern.matcher(Pattern.java:1093)
>> at java.util.regex.Pattern.split(Pattern.java:1206)
>> at org.keycloak.broker.provider.util.IdentityBrokerState.
>> encoded(IdentityBrokerState.java:41)
>> at org.keycloak.services.resources.IdentityBrokerService.
>> parseEncodedSessionCode(IdentityBrokerService.java:980)
>> at org.keycloak.services.resources.IdentityBrokerService.authenticated(
>> IdentityBrokerService.java:490)
>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
>> SAMLEndpoint.java:440)
>> ... 63 more
>> 
>> I’ve posted the SAML response at https://gist.github.com/dieseldjango/
>> 72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/ <https://gist.github.com/dieseldjango/>
>> 72057b7df68dbe3dc289ec8e3f5826bf>.
>> 
>> The stack trace indicates it’s failing at IdentityBrokerService.parseEncodedSessionCode().
>> I’ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone point
>> me in the right direction to solve this?
>> 
>> Thanks,
>> David
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 
> 
> 
> -- 
> 
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
> 
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>

More information about the keycloak-user mailing list