[keycloak-user] Undeclared namespace "ec" while deserializing SAML Response

[Teel, Dustin L.]

Hi all,

My team is having a deserialization issue with a certain SAML Response document that we are getting from one of our clients.  I have submitted a bug ticket (https://issues.jboss.org/browse/KEYCLOAK-10729), but I also wanted to start a discussion here to see if anyone has ran into this issue/it is fixed in a later version already/knows of a workaround.  We are currently on version 4.1.0.Final.

The stack trace and relevant parts of the SAML Response document are part of the ticket description, but I will summarize the issue we are seeing here.  Our setup includes a SAML Client which has the properties for IDP-Initiated SSO set.  We then have a SAML IDP setup with the metadata from our client.  Our client posts a SAML Response to the IDP-Initiated SSO for the client and IDP and we are getting the following exception when Keycloak attempts to deserialize the SAML Response:

org.keycloak.saml.common.exceptions.ParsingException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "ec"
(Full stack trace and SAML Response document are in the ticket linked above)

The issue here seems to be the location in which the “ec” namespace is declared.  The namespace is declared in the root <samlp:Response> element.  The “ec” namespace is actually used in a <ec:InclusiveNamespaces> element that is a descendant of the <ds:Signature> element.  It seems that during deserialization Keycloak does not apply namespaces declared in the root element to descendant elements.  I say this because if we move the “ec” namespace declaration down to the <ds:Signature> element then everything works as expected.

If you have any questions or need clarification, please let me know.  Thank you in advance for your help!

Thank you,

Dustin Teel