[keycloak-user] Keycloak Saml Client ID

Mon Mar 11 15:40:49 EDT 2019

On 3/11/19 2:59 PM, Victor Alejo wrote:
> Thank you for your reply John.
> 
> We have set the EntityId of the client as the ClientID in keycloak.
> Basically anything we add in ClientID is appearing in the 
> IDPSSODescriptor metadata.

IDPSSODescriptor != SPSSODescriptor

Your client of Keycloak is a SAML SP, therefore any changes you make to 
the *client* should only be reflected in the SPSSODescriptor *not* the 
IDPSSODescriptor.

> 
> Now we get the respond*"Invalid Requester". *

You probably still have a problem with mismatched entityID's. There are 
two parties involved, Keycloak as the IdP and your client as an SP. Each 
*must* know it's own entityID *and* the entityID of the connecting 
party. That's how they identify each other.

> 
> Our client has these 3 configuration options:
> - Identity Provider Issuer ->  EntityID  = ClientID Keycloak

If you're saying you've entered the clientid as the IdP entityID that's 
incorrect. Make sure you understand who is playing the role of IdP and 
SP (see above).

> - SSO URL -> https://domain/auth/realms/keycloak_realm/protocol/saml
> - Certificate -> X.509 added.
> 
> Certificate is not failing, and SSO URL looks to redirect correctly. IdP 
> Issuer looks to be ok now, so I am guessing that this error is about the 
> mapping attributes of the user authenticating?

No, you're not even getting that far. First Keycloak has to lookup up 
the client trying to connect to it and validate it. That lookup and 
validation is going to fail if both parties don't agree on the 
entityID's in use.

It's easy to see what entityID's are in use by using a browser extension 
that captures and displays SAML messages. The following doc shows how to 
use those extentions. The doc was written for a different SAML SP but 
the issues are the same.

https://github.com/Uninett/mod_auth_mellon/blob/master/doc/user_guide/mellon_user_guide.adoc#trace_saml_flow

Sections 4.7 and4.9 in the doc are relevant to entityID's and the format 
of the authnRequest, once again, although this is a different SAML SP 
those sections are generic SAML.

https://github.com/Uninett/mod_auth_mellon/blob/master/doc/user_guide/mellon_user_guide.adoc

> 
> Thanks
> Regards
> 
> 
> On Fri, Mar 8, 2019 at 9:17 PM John Dennis <jdennis at redhat.com 
> <mailto:jdennis at redhat.com>> wrote:
> 
>     On 3/8/19 1:50 PM, Victor Alejo wrote:
>      > Hi,
>      >
>      > I am integrating Keycloak with my service using a saml client but
>     I got all
>      > the time *unknown login requester" *error.
>      >
>      > My service:
>      > - Uses Saml 2.0
>      > - SSO URL pointing to:
>      >
>     https://sso.develop.stentle.com/auth/realms/my_realm_keycloak_app/protocol/saml
>      >
>     <https://sso.develop.stentle.com/auth/realms/customer-support/protocol/saml>
>      >
>      > - Certificate X.509 Added Working.
>      >
>      > *- Identity Provider Issuer:  This is the value we I know how to
>     set. *
>      >
>      > - The client_ID value in the saml client of Keycloak:
>      >
>      > "Specified ID referrenced in URI and tokens. For example
>     'my-client'  This
>      > is also the expected issuer value from auth request"
>      >
>      > Anyone knows what should be in this value and how to related to the
>      > Identity Provider Issuer?
> 
>     It's not related. There are two parties involved, the IdP (i.e.
>     Keycloak) and the SP (i.e. your client). Each must know about the
>     other,
>     typically this done through SAML metadata exchange but Keycloak allows
>     you to manually add the client if you don't have metadata.
> 
>     Each party is identified by something SAML calls the entityID, it
>     *must*
>     be a URN. You will find the entityID for the SP in the EntityDescriptor
>     of the clients metadata and the entityID in the EntityDescriptor in
>     your
>     Keycloak's realm metadata. Keycloak's clientid *is* the SAML SP's
>     entityID and appears in the authnRequest sent by your SP to Keycloak.
>     What is sent by your SP as it's entityID *must* match the entityID
>     (i.e.
>     clientid) registered in your Keycloak realm. To find the IdP entity
>     description register or create your SAML SP client in your realm and
>     then click on the Installation tab, then select SAML Metadata
>     IDPSSODescriptor as the format. You SP may need this metadata depending
>     on the client. It just so happens that the issuer field in the realms
>     OpenID Endpoint Configuration matches the SAML IDP entityID, but it's
>     best to pull this value from the SAML IDP metadata.
> 
> 
>     -- 
>     John Dennis
> 

-- 
John Dennis