[keycloak-user] Unable to process SAML response from Azure AD
Lynxlogic
info at lynxlogic.com
Thu May 17 12:00:42 EDT 2018
Unfortunately, after updgrading to the latest Keycloak I can’t seem to get it to send the logout request at all. I turned of backchannel logout, but there is no redirect to to the AD logout.
> On May 17, 2018, at 03:49, Luis Rodríguez Fernández <uo67113 at gmail.com> wrote:
>
> Hello David,
>
> May I ask you to share your logout request, please?
>
> Me I am using https://www.keycloak.org/docs/latest/securing_apps/
> index.html#logout-2 and Microsoft ADFS2 does not complain about the
> request, You can have a look at the SAMLRequest param here [1].
>
> The full request looks like this:
>
> GET https://login.cern.ch/adfs/ls/?SAMLRequest=...&RelayState=
> logout&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%
> 2Fxmldsig-more%23rsa-sha256&Signature=...
> HTTP/1.1
> Host: login.cern.ch
> User-Agent:...
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Cookie: MSISAuth=...
> Connection: keep-alive
> Upgrade-Insecure-Requests: 1
>
> Hope it helps,
>
> Luis
>
> ps: thank you sooooo much because your post help me a lot! I thought that
> for bein able of using [1] I needed to have keycloak server, register the
> SP, etc... But it turns out that Keycloack SAML Client Adapter Core makes
> all the magic, thanks Keycloak team!
>
> pps: for weblogic I needed to implement myself the SLO [2] :(
>
> [1] https://gist.github.com/lurodrig/a4aeba70d89dd123ce1d6f49cd45fc0f
> [2] https://github.com/cerndb/wls-cern-sso/tree/master/saml2slo/
>
>
> 2018-05-16 14:12 GMT+02:00 Lynxlogic <info at lynxlogic.com>:
>
>> Thanks for the info Luis. I was getting this error when using Azure’s
>> ‘Test SAML Settings’ tool. Apparently when testing that way the attributes
>> you mentioned are omitted from the SAML response. If I follow a normal
>> login flow it works.
>>
>> However, I’m unable to get single sign out to work. If I turn on
>> backchannel logout, then when I sign out from keycloak I’m not signed out
>> from Azure. If I turn this off, keycloak sends a SAML request on logout,
>> but Azure complaints that it is invalid. Azure’s documentation says that
>> the sign out URL should be configured as, 'https://login.
>> microsoftonline.com/common/wsfederation?wa=wsignout1.0’. If I hit this
>> URL manually I do get signed out of Azure, but if I specify that URL as the
>> ‘Single Logout Service URL’ in the identity provider setup, Keycloak seems
>> to ignore it. The behavior is the same with or without that setting -
>> Keycloak does not redirect to that URL.
>>
>> David
>>
>>> On May 16, 2018, at 04:00, Luis Rodríguez Fernández <uo67113 at gmail.com>
>> wrote:
>>>
>>> Hello David,
>>>
>>> Me, in your <samlp:Response> I am missing a couple of attributes:
>>>
>>> Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
>>> InResponseTo="ID_99d1aa37-7ed7-4565-90b4-19ed50d38489"
>>>
>>> Probably "consent" one is not causing the issue, but "inresponseto"
>>> contains the id of the AuthRequest sent by keycloak, and maybe keycloak
>>> wants to verify it. My setup is keycloak SP and ADFS2 IdP (very similar
>> to
>>> yours BTW). You can have a look here to one of the ADFS2 responses:
>>> https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a <
>> https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a>
>>>
>>> Hope it helps,
>>>
>>> Luis
>>>
>>> 2018-05-16 3:06 GMT+02:00 Lynxlogic <info at lynxlogic.com <mailto:
>> info at lynxlogic.com>>:
>>>
>>>> I’m trying to setup SAML SSO between Azure AD and Keycloak. On the
>>>> redirect back after auth, Keycloak is failing to process the response
>> and
>>>> generates an internal server error:
>>>>
>>>> 00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
>>>> (default task-5) Uncaught server error: org.keycloak.broker.provider.
>> IdentityBrokerException:
>>>> Could not process response from SAML identity provider.
>>>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
>>>> SAMLEndpoint.java:444)
>>>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(
>>>> SAMLEndpoint.java:479)
>>>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
>>>> SAMLEndpoint.java:237)
>>>> at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
>>>> SAMLEndpoint.java:157)
>>>> .
>>>> .
>>>> .
>>>> Caused by: java.lang.NullPointerException
>>>> at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
>>>> at java.util.regex.Matcher.reset(Matcher.java:309)
>>>> at java.util.regex.Matcher.<init>(Matcher.java:229)
>>>> at java.util.regex.Pattern.matcher(Pattern.java:1093)
>>>> at java.util.regex.Pattern.split(Pattern.java:1206)
>>>> at org.keycloak.broker.provider.util.IdentityBrokerState.
>>>> encoded(IdentityBrokerState.java:41)
>>>> at org.keycloak.services.resources.IdentityBrokerService.
>>>> parseEncodedSessionCode(IdentityBrokerService.java:980)
>>>> at org.keycloak.services.resources.IdentityBrokerService.authenticated(
>>>> IdentityBrokerService.java:490)
>>>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
>>>> SAMLEndpoint.java:440)
>>>> ... 63 more
>>>>
>>>> I’ve posted the SAML response at https://gist.github.com/dieseldjango/
>>>> 72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/
>> <https://gist.github.com/dieseldjango/>
>>>> 72057b7df68dbe3dc289ec8e3f5826bf>.
>>>>
>>>> The stack trace indicates it’s failing at IdentityBrokerService.
>> parseEncodedSessionCode().
>>>> I’ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone
>> point
>>>> me in the right direction to solve this?
>>>>
>>>> Thanks,
>>>> David
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <
>> https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>>>
>>> - Samuel Beckett
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <
>> https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list