[keycloak-user] Testing SAML Identity Brokering

Fri Oct 12 08:49:59 EDT 2018

Hi Craig,

On Thu, 2018-10-11 at 15:36 -0500, Craig Setera wrote:
> I'm attempting to set up a test of identity brokering all within a single
> Keycloak server.  I have two realms set up.  The "saml-demo" realm is set
> up with a SAML client.  I've exported the SAML definition from that client
> and imported it into the Identity Brokering for the second realm.

In the brokering scenario, your webapp should remain the client of the saml-demo realm, and this realm itself should become a client of another realm. This is how brokering actually works.

Let's assume there are realms "foo" and "bar", and the former should broker to the latter. The exact steps are:
1. Go to "foo" realm -> Identity Providers -> add SAML 2.0 provider;
2. Scroll down to "Import from URL", enter the following:
http://<your-keycloak-host>:<port>/auth/realms/bar/protocol/saml/descriptor
(replace "bar" with the actual name of your second realm)
3. Go to Export tab, save EntityDescriptor XML;
4. Go to "bar" realm -> Clients, create one, import the XML from the previous step, provide some meaningful name;
5. Create some users in "bar".

After that, try accessing your SAML client. You'll be presented with the Keycloak login screen where you'll be able to either authenticate against "saml-demo", or to choose another realm.

Some notes:
- you can avoid first login screen and redirect automatically to the second realm, using custom authentication flow with IDP redirector + flow override at the client level;
- upon the first brokered login, the user will be presented with the Update account details screen. If you want to bypass that, you can enable identity auto-linking.
It's out of the box in KC 4.5.0, thx to excellent work by Ryan Slominski: https://issues.jboss.org/browse/KEYCLOAK-7270
For KC <4.5.0, you can use this: https://github.com/ohioit/keycloak-link-idp-with-user

Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

> Unfortunately, I can't seem to get to the login page of the "saml-demo"
> when navigating from the second realm.  When I click on the identity broker
> realm link, I'm seeing the following in the logs:
> 
> keycloak_1  | Caused by: java.security.SignatureException: Signature length
> not correct: got 256 but was expecting 128
> keycloak_1  |     at
> sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189)
> keycloak_1  |     at
> java.security.Signature$Delegate.engineVerify(Signature.java:1222)
> keycloak_1  |     at java.security.Signature.verify(Signature.java:655)
> keycloak_1  |     at
> org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:236)
> 
> I've turned up logging for all of the Keycloak SAML functionality as well
> as for java.security.  However, I'm struggling to figure out where the
> mismatch is located in the configuration and not quite sure where to even
> look.
> 
> Can anyone offer suggestions on how to go about setting this up or
> troubleshooting what I'm doing?
> 
> Thanks,
> Craig
> 
> =================================
> *Craig Setera*
> 
> *Chief Technology Officer*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user