[keycloak-user] Keycloak Integration with Celoxis

Kevin Perez Moreno moreno at netguardians.ch
Fri Mar 29 03:44:22 EDT 2019


Hello,

I am currently trying to integrate Celoxis into our SSO provided by keycloak. Celoxis is configured to send SAML requests to our keycloak server by using the following IDP endpoint URL: https://xxx.xx/auth/realms/Demo/protocol/saml
However, I am getting an "invalid authn request reason invalid destination" WARN message in keycloak
After changing the log level to DEBUG. I found out that the Celoxis app is sending a SAML with destination URL https://xxx.xx/auth/realms/Demo/protocol/saml?
It seems that a question mark was added at the end of the destination URL. Please see DEBUG traces below. I wonder if this is the expected behavior, i.e., the question mark added at the end of the SAML Destination URL is causing keycloak to throw an invalid authn request error.
If this is the expected behavior, I wonder if there is any workaround to avoid this error (perhaps ignoring destination validation?)

17:06:47,989 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-9) RESTEASY002315: PathInfo: /realms/Demo/protocol/saml
17:06:47,993 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-9) SAML GET
17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9) SAML Redirect Binding
17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9) <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_2eca86d4-06b6-45d1-b944-b2e453326418" Version="2.0" IssueInstant="2019-03-28T16:06:47Z" Destination="https://xxx/auth/realms/Demo/protocol/saml?" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://app.celoxis.com/psa/person.Login.do?code=netguardians"><saml:Issuer>celoxis.com</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>
17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-9) verified request
17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-9) ** login request
17:06:47,999 WARN  [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=Demo, clientId=null, userId=null, ipAddress=x.x.x.x, error=invalid_authn_request, reason=invalid_destination

Thank you in advance
Kevin

[https://cdn.netguardians.ch/images/banner_new_web.jpg]<https://www.netguardians.ch/>


More information about the keycloak-user mailing list