[keycloak-user] Keycloak Saml Client ID
Victor Alejo
victor at dvelp.co.uk
Mon Mar 11 14:59:58 EDT 2019
Thank you for your reply John.
We have set the EntityId of the client as the ClientID in keycloak.
Basically anything we add in ClientID is appearing in the IDPSSODescriptor
metadata.
Now we get the respond* "Invalid Requester". *
Our client has these 3 configuration options:
- Identity Provider Issuer -> EntityID = ClientID Keycloak
- SSO URL -> https://domain/auth/realms/keycloak_realm/protocol/saml
- Certificate -> X.509 added.
Certificate is not failing, and SSO URL looks to redirect correctly. IdP
Issuer looks to be ok now, so I am guessing that this error is about the
mapping attributes of the user authenticating?
Thanks
Regards
On Fri, Mar 8, 2019 at 9:17 PM John Dennis <jdennis at redhat.com> wrote:
> On 3/8/19 1:50 PM, Victor Alejo wrote:
> > Hi,
> >
> > I am integrating Keycloak with my service using a saml client but I got
> all
> > the time *unknown login requester" *error.
> >
> > My service:
> > - Uses Saml 2.0
> > - SSO URL pointing to:
> >
> https://sso.develop.stentle.com/auth/realms/my_realm_keycloak_app/protocol/saml
> > <
> https://sso.develop.stentle.com/auth/realms/customer-support/protocol/saml
> >
> >
> > - Certificate X.509 Added Working.
> >
> > *- Identity Provider Issuer: This is the value we I know how to set. *
> >
> > - The client_ID value in the saml client of Keycloak:
> >
> > "Specified ID referrenced in URI and tokens. For example 'my-client'
> This
> > is also the expected issuer value from auth request"
> >
> > Anyone knows what should be in this value and how to related to the
> > Identity Provider Issuer?
>
> It's not related. There are two parties involved, the IdP (i.e.
> Keycloak) and the SP (i.e. your client). Each must know about the other,
> typically this done through SAML metadata exchange but Keycloak allows
> you to manually add the client if you don't have metadata.
>
> Each party is identified by something SAML calls the entityID, it *must*
> be a URN. You will find the entityID for the SP in the EntityDescriptor
> of the clients metadata and the entityID in the EntityDescriptor in your
> Keycloak's realm metadata. Keycloak's clientid *is* the SAML SP's
> entityID and appears in the authnRequest sent by your SP to Keycloak.
> What is sent by your SP as it's entityID *must* match the entityID (i.e.
> clientid) registered in your Keycloak realm. To find the IdP entity
> description register or create your SAML SP client in your realm and
> then click on the Installation tab, then select SAML Metadata
> IDPSSODescriptor as the format. You SP may need this metadata depending
> on the client. It just so happens that the issuer field in the realms
> OpenID Endpoint Configuration matches the SAML IDP entityID, but it's
> best to pull this value from the SAML IDP metadata.
>
>
> --
> John Dennis
>
More information about the keycloak-user
mailing list