[keycloak-user] Keycloak Integration with Celoxis

Luis Rodríguez Fernández uo67113 at gmail.com
Mon Apr 1 12:45:56 EDT 2019


Hello Kevin,

I am afraid that the only thing that I can suggest you is to change your
celoxis IDP URL configuration [1].

Cheers,

Luis

[1]
https://celoxis.atlassian.net/wiki/spaces/DOC11/pages/113704014/Single+Sign-On+SSO

El vie., 29 mar. 2019 a las 8:45, Kevin Perez Moreno (<
moreno at netguardians.ch>) escribió:

> Hello,
>
> I am currently trying to integrate Celoxis into our SSO provided by
> keycloak. Celoxis is configured to send SAML requests to our keycloak
> server by using the following IDP endpoint URL:
> https://xxx.xx/auth/realms/Demo/protocol/saml
> However, I am getting an "invalid authn request reason invalid
> destination" WARN message in keycloak
> After changing the log level to DEBUG. I found out that the Celoxis app is
> sending a SAML with destination URL
> https://xxx.xx/auth/realms/Demo/protocol/saml?
> It seems that a question mark was added at the end of the destination URL.
> Please see DEBUG traces below. I wonder if this is the expected behavior,
> i.e., the question mark added at the end of the SAML Destination URL is
> causing keycloak to throw an invalid authn request error.
> If this is the expected behavior, I wonder if there is any workaround to
> avoid this error (perhaps ignoring destination validation?)
>
> 17:06:47,989 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
> task-9) RESTEASY002315: PathInfo: /realms/Demo/protocol/saml
> 17:06:47,993 DEBUG [org.keycloak.protocol.saml.SamlService] (default
> task-9) SAML GET
> 17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9)
> SAML Redirect Binding
> 17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9)
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="ONELOGIN_2eca86d4-06b6-45d1-b944-b2e453326418" Version="2.0"
> IssueInstant="2019-03-28T16:06:47Z" Destination="
> https://xxx/auth/realms/Demo/protocol/saml?"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> AssertionConsumerServiceURL="
> https://app.celoxis.com/psa/person.Login.do?code=netguardians
> "><saml:Issuer>celoxis.com</saml:Issuer><samlp:NameIDPolicy
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> AllowCreate="true" /></samlp:AuthnRequest>
> 17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default
> task-9) verified request
> 17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default
> task-9) ** login request
> 17:06:47,999 WARN  [org.keycloak.events] (default task-9)
> type=LOGIN_ERROR, realmId=Demo, clientId=null, userId=null,
> ipAddress=x.x.x.x, error=invalid_authn_request, reason=invalid_destination
>
> Thank you in advance
> Kevin
>
> [https://cdn.netguardians.ch/images/banner_new_web.jpg]<
> https://www.netguardians.ch/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett


More information about the keycloak-user mailing list