[keycloak-user] WG: Using keycloak for SAML integration. confused by documentation. login loop

Fri Nov 30 05:09:19 EST 2018

Hello,

I am resending this, since I needed to confirm my subscription to this mailing list first and I got the "not allowed" message when I sent it fort he first time.

Regards,

Manuel Waltschek

Von: Manuel Waltschek
Gesendet: Donnerstag, 29. November 2018 18:27
An: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
Betreff: Using keycloak for SAML integration. confused by documentation. login loop

Hello there,

I'm sorry to bother you since this might have been asked quite a lot, but I am not able to configure my application as a SAML service provider to authenticate against an external IdP like https://samltest.id/saml/idp . I tried to use keycloak server as an identity broker but ran into different issues. I tried to follow instructions of this documentation: https://www.keycloak.org/docs/latest/securing_apps/index.html

If you want details on my configuration you can check out https://stackoverflow.com/questions/53487692/keycloak-saml-as-identity-broker-wiht-samltest-as-an-external-idp-misconfigurat but some aspects might have changed, since I tried an alternative.

Alternatively I tried to configure the Wildfly 10 system/application to use the external IdP directly, which kind of works. At least I am able to authenticate at the IdPs Website when I try to access a protected resource of my application, but when I get redirected to application-name/saml (which is my defined endpoint since it is described like this in the documentation. I do not understand how this should even work) I do not know how to access the assertion / the SAMLprincipal at this stage and if I register a ServletFilter in web.xml with an URL-pattern of /saml/* or /saml it won't trigger.

Also I do not know if this is even how it should work out, since I don't get how the keycloak server even fits into the equation, since it is not called or anything when SP communicates automatically with the external IdP. Also why does the KeycloakLoginModule never get called? What is it for? And how does the assertion actually get processed? I cannot find any reference on these topics.

I am getting really frustrated about this since the documentation is unclear (for me) about SAML and the use case I described and there are really no answers on public websites. I will be really happy if anyone could help me solve this issue. Do not hesitate to ask for more information/details.

Thank you in advance,

[relaunch]<https://www.prisma-solutions.com/>

Unsere Website erstrahlt im neuen Glanz und ganz im Corporate und selbstverständlich Responsive Design.
Wenn Sie wissen wollen, wie wir Verkehrsmanagement digital unterstützen, wie Städte eine vielfältige Fahrradkultur etablieren können, wo automatisierte Kleinbusse uns in Zukunft hinbringen werden oder wie die Lebenszykluskosten von Straßeninfrastruktur evaluiert und optimiert werden, dann schauen Sie doch auf https://www.prisma-solutions.com vorbei!

[Logo]

Manuel Waltschek BSc.

+43 660 86655 47<tel:+436608665547>
manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at>
https://www.prisma-solutions.com

PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 44259 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181130/0decd3b2/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 6418 bytes
Desc: image002.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181130/0decd3b2/attachment-0003.png 