[keycloak-user] Unable to process SAML response from Azure AD

Luis Rodríguez Fernández uo67113 at gmail.com
Thu May 17 05:49:11 EDT 2018


Hello David,

May I ask you to share your logout request, please?

Me I am using https://www.keycloak.org/docs/latest/securing_apps/
index.html#logout-2 and Microsoft ADFS2 does not complain about the
request, You can have a look  at the SAMLRequest param here [1].

The full request looks like this:

GET https://login.cern.ch/adfs/ls/?SAMLRequest=...&RelayState=
logout&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%
2Fxmldsig-more%23rsa-sha256&Signature=...
HTTP/1.1
Host: login.cern.ch
User-Agent:...
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: MSISAuth=...
Connection: keep-alive
Upgrade-Insecure-Requests: 1

Hope it helps,

Luis

ps: thank you sooooo much because your post help me a lot! I thought that
for bein able of using [1] I needed to have keycloak server, register the
SP, etc... But it turns out that Keycloack SAML Client Adapter Core makes
all the magic, thanks Keycloak team!

pps: for weblogic I needed to implement myself the SLO [2] :(

[1] https://gist.github.com/lurodrig/a4aeba70d89dd123ce1d6f49cd45fc0f
[2] https://github.com/cerndb/wls-cern-sso/tree/master/saml2slo/


2018-05-16 14:12 GMT+02:00 Lynxlogic <info at lynxlogic.com>:

> Thanks for the info Luis. I was getting this error when using Azure’s
> ‘Test SAML Settings’ tool. Apparently when testing that way the attributes
> you mentioned are omitted from the SAML response. If I follow a normal
> login flow it works.
>
> However, I’m unable to get single sign out to work. If I turn on
> backchannel logout, then when I sign out from keycloak I’m not signed out
> from Azure. If I turn this off, keycloak sends a SAML request on logout,
> but Azure complaints that it is invalid. Azure’s documentation says that
> the sign out URL should be configured as, 'https://login.
> microsoftonline.com/common/wsfederation?wa=wsignout1.0’. If I hit this
> URL manually I do get signed out of Azure, but if I specify that URL as the
> ‘Single Logout Service URL’ in the identity provider setup, Keycloak seems
> to ignore it. The behavior is the same with or without that setting -
> Keycloak does not redirect to that URL.
>
> David
>
> > On May 16, 2018, at 04:00, Luis Rodríguez Fernández <uo67113 at gmail.com>
> wrote:
> >
> > Hello David,
> >
> > Me, in your <samlp:Response> I am missing a couple of attributes:
> >
> > Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
> > InResponseTo="ID_99d1aa37-7ed7-4565-90b4-19ed50d38489"
> >
> > Probably "consent" one is not causing the issue, but "inresponseto"
> > contains the id of the AuthRequest sent by keycloak, and maybe keycloak
> > wants to verify it. My setup is keycloak SP and ADFS2 IdP (very similar
> to
> > yours BTW). You can have a look here to one of the ADFS2 responses:
> > https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a <
> https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a>
> >
> > Hope it helps,
> >
> > Luis
> >
> > 2018-05-16 3:06 GMT+02:00 Lynxlogic <info at lynxlogic.com <mailto:
> info at lynxlogic.com>>:
> >
> >> I’m trying to setup SAML SSO between Azure AD and Keycloak. On the
> >> redirect back after auth, Keycloak is failing to process the response
> and
> >> generates an internal server error:
> >>
> >> 00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> >> (default task-5) Uncaught server error: org.keycloak.broker.provider.
> IdentityBrokerException:
> >> Could not process response from SAML identity provider.
> >> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
> >> SAMLEndpoint.java:444)
> >> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(
> >> SAMLEndpoint.java:479)
> >> at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
> >> SAMLEndpoint.java:237)
> >> at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
> >> SAMLEndpoint.java:157)
> >> .
> >> .
> >> .
> >> Caused by: java.lang.NullPointerException
> >> at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
> >> at java.util.regex.Matcher.reset(Matcher.java:309)
> >> at java.util.regex.Matcher.<init>(Matcher.java:229)
> >> at java.util.regex.Pattern.matcher(Pattern.java:1093)
> >> at java.util.regex.Pattern.split(Pattern.java:1206)
> >> at org.keycloak.broker.provider.util.IdentityBrokerState.
> >> encoded(IdentityBrokerState.java:41)
> >> at org.keycloak.services.resources.IdentityBrokerService.
> >> parseEncodedSessionCode(IdentityBrokerService.java:980)
> >> at org.keycloak.services.resources.IdentityBrokerService.authenticated(
> >> IdentityBrokerService.java:490)
> >> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
> >> SAMLEndpoint.java:440)
> >> ... 63 more
> >>
> >> I’ve posted the SAML response at https://gist.github.com/dieseldjango/
> >> 72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/
> <https://gist.github.com/dieseldjango/>
> >> 72057b7df68dbe3dc289ec8e3f5826bf>.
> >>
> >> The stack trace indicates it’s failing at IdentityBrokerService.
> parseEncodedSessionCode().
> >> I’ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone
> point
> >> me in the right direction to solve this?
> >>
> >> Thanks,
> >> David
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user <
> https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
> >
> >
> >
> > --
> >
> > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
> >
> > - Samuel Beckett
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user <
> https://lists.jboss.org/mailman/listinfo/keycloak-user>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett


More information about the keycloak-user mailing list