[keycloak-user] Keycloak IDP and python3-saml interoperation
adam scislowicz
adam.scislowicz at gmail.com
Fri May 24 00:39:57 EDT 2019
Summary: I am building a SAML authentication system using Keyloack as the
IDP, and the python3-saml module to implement the SP. See configuration
outline below.
I can successfully initiate via IDP or SP. If SP I will be redirected to
the IDP. The IDP will then redirect me to the SP's ACS binding and I
observe the following logs from the IDP and SP respectively. The following
log from python3-saml sticks out
'http://10.0.0.3:9082/metadata/ is not a valid audience for this Response'
IDP LOGS
[org.keycloak.services.managers.AuthenticationSessionManager] (default
task-3) Found AUTH_SESSION_ID cookie with value
65545797-a5c8-415b-9b79-f0bdcf706743.nac-idp
[org.keycloak.services.util.CookieHelper] (default task-3) {1} cookie found
in the requests header
[org.keycloak.services.util.CookieHelper] (default task-3) {1} cookie found
in the cookies field
[org.keycloak.services.managers.AuthenticationSessionManager] (default
task-3) Found AUTH_SESSION_ID cookie with value
65545797-a5c8-415b-9b79-f0bdcf706743.nac-idp
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-3)
getUserSessionWithPredicate(65545797-a5c8-415b-9b79-f0bdcf706743): remote
cache not available
[org.keycloak.protocol.AuthorizationEndpointBase] (default task-3) Sent
request to authz endpoint. We don't have root authentication session with
ID '65545797-a5c8-415b-9b79-f0bdcf706743' but we have
userSession.Re-created root authentication session with same ID. Client is:
nac-lander . New authentication session tab ID: cfS0YI4bjUk
[org.keycloak.authentication.AuthenticationProcessor] (default task-3)
AUTHENTICATE
[org.keycloak.authentication.AuthenticationProcessor] (default task-3)
AUTHENTICATE ONLY
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
processFlow
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
check execution: auth-cookie requirement: ALTERNATIVE
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
authenticator: auth-cookie
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
invoke authenticator.authenticate: auth-cookie
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
authenticator SUCCESS: auth-cookie
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
check execution: auth-spnego requirement: DISABLED
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
execution is processed
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
check execution: identity-provider-redirector requirement: ALTERNATIVE
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
Skip alternative execution
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
check execution: null requirement: ALTERNATIVE
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
Skip alternative execution
[org.keycloak.services.managers.AuthenticationSessionManager] (default
task-3) Removing authSession '65545797-a5c8-415b-9b79-f0bdcf706743'. Expire
restart cookie: true
[org.keycloak.events] (default task-3) type=LOGIN, realmId=master,
clientId=nac-lander, userId=b615f353-672d-4b83-93ee-4f7ceddf543b,
ipAddress=10.255.0.2, auth_method=saml, redirect_uri=
http://10.0.0.3:9082/?acs, consent=no_consent_required,
code_id=65545797-a5c8-415b-9b79-f0bdcf706743, username=admin
[org.keycloak.services.managers.AuthenticationManager] (default task-3)
Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/master/,
max-age: -1
[org.keycloak.services.managers.AuthenticationManager] (default task-3)
Expiring remember me cookie
[org.keycloak.services.managers.AuthenticationManager] (default task-3)
Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/master/
SP LOGS
nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv | acs
nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv | http://10.0.0.3:9082/metadata/ is
not a valid audience for this Response
...
nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv | {'https': 'off', 'http_host': '
10.0.0.3:9082', 'server_port': 9082, 'script_name': '/', 'get_data':
MultiDict([('sso', '')]), 'post_data': MultiDict([])}
nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv |
<onelogin.saml2.auth.OneLogin_Saml2_Auth object at 0x7f2cfa62cda0>
CONFIGURATION OUTLINE
IDP: Keycloak
Client: nac-lander
Master SML Processing URL: http://10.0.0.3:9082/
IDP Initiated URL Name: 'nac-lander' :
http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander
Assertion Consumer Service URL: http://10.0.0.3:9082/?acs
SP: python3-saml
{
"strict": true,
"debug": true,
"sp": {
"entityId": "http://10.0.0.3:9082/metadata/",
"assertionConsumerService": {
"url": "http://10.0.0.3:9082/?acs",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
},
"singleLogoutService": {
"url": "http://10.0.0.3:9082/?sls",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"x509cert": "",
"privateKey": ""
},
"idp": {
"entityId": "http://10.0.0.3:8080/auth/realms/master/protocol/saml/",
"singleSignOnService": {
"url": "
http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"singleLogoutService": {
"url": "
http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"x509cert": "<onelogin_connector_cert>"
}}
More information about the keycloak-user
mailing list