[keycloak-user] Keycloak as SP with ping federate

Chris Stephens chris.stephens at edlogics.com
Sun Jul 28 12:17:49 EDT 2019 

I am having issues integrating keycloak with ping federate. We are using keycloak version 5.0.0. Ping federate is the idp and keycloak is the service provider. Keycloak gives me a generic error "An internal server error has occurred”. When I dive deeper into the logs I see this stack trace.


[0m[31m15:59:02,925 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-341) Uncaught server error:  org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider.
                        at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:469)
                        at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:504)
                        at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:244)
                        at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:160)
                        at sun.reflect.GeneratedMethodAccessor1101.invoke(Unknown Source)
                        ...
                        at java.lang.Thread.run(Thread.java:748)
                        Caused by: java.lang.NullPointerException

There is no line number on the above null pointer exception. I only know it is happening in handleLoginResponse.

Here is the formatted xml from the /endpoint response in the browser":

                        <?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="J8RPRFTJWzphQNpjsdDMOBAzanc" IssueInstant="2019-07-28T15:47:20.101Z" Destination="https://access-dev.myedlogics.com/auth/realms/intervent/broker/intervent/endpoint">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                        <ds:Reference URI="#J8RPRFTJWzphQNpjsdDMOBAzanc">
                                    <ds:Transforms>
                                                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                    </ds:Transforms>
                                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                                    <ds:DigestValue>nhnAGsnEubW52HlCQIQ6X9aRQvsiKt2QMxu82hqka3E=</ds:DigestValue>
                        </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>Z2zn8MXkhPk8iw4AXmFV/qK+UbyKQhYT5faq9yyPzF2OCS7joaboMm29/qtZhBHBrFNf0113f3jeAG6mX9RvOYOsoI9k0aLNvH42UDSZw9Iwv8AOIBxa06bqVw7VfJpxwNp4spJgvMRme61OnJd57sqF8V7CNe4X8VMm6L1DDDkvrpL1WieN8OrEjMOm7F3HtlIBTAfy3WvFn2P/Ly3ofSM4CFb9pOgyG0Ypi9KWVaCOQ0qVvaOXu97HpOY4+fp9kg/fMq3UlxJ93WTLiZ8/hXgz9x+Of6DXqY/+XjjRUPdhH2dSXwg7vpXCIc1q5JyG79uNHotLQoDhbO21Osp/QQ==</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="fCWnVphoi6J6jBnD.Ohe_UTtf1D" IssueInstant="2019-07-28T15:47:20.158Z" Version="2.0">
            <saml:Issuer>localhost:default:entityId</saml:Issuer>
            <saml:Subject>
                        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
                        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                                    <saml:SubjectConfirmationData Recipient="https://access-dev.myedlogics.com/auth/realms/intervent/broker/intervent/endpoint" NotOnOrAfter="2019-07-28T15:52:20.162Z"/>
                        </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Conditions NotBefore="2019-07-28T15:42:20.162Z" NotOnOrAfter="2019-07-28T15:52:20.162Z">
                        <saml:AudienceRestriction>
                                    <saml:Audience>https://access-dev.myedlogics.com/auth/realms/intervent</saml:Audience>
                        </saml:AudienceRestriction>
            </saml:Conditions>
            <saml:AuthnStatement SessionIndex="fCWnVphoi6J6jBnD.Ohe_UTtf1D" AuthnInstant="2019-07-28T15:47:20.136Z">
                        <saml:AuthnContext>
                                    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
                        </saml:AuthnContext>
            </saml:AuthnStatement>
            <saml:AttributeStatement>
                        <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                                    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">chris.stephens+1 at edlogics.net</saml:AttributeValue>
                        </saml:Attribute>
            </saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>


Does anyone see any obvious mistakes I am making? Is the xml invalid and messing with keycloak?

Thanks,
Chris

More information about the keycloak-user mailing list