[keycloak-user] Keycloak IDP and python3-saml interoperation

Dmitry Telegin demetrio at carretti.pro
Fri May 24 08:41:09 EDT 2019


Hello Adam,

With "strict" set to true on the python3-saml side, it will try to validate SAMLResponse's AudienceRestriction (if present) against SP's entityId value [1]. 

In its turn, Keycloak always sets AudienceRestriction to client ID, which is "nac-lander" in your case [2] [3].

Hence, I'd suggest that you try setting SP's entityId to "nac-lander" or turn off strict audience checking.

[1] https://github.com/onelogin/python3-saml/blob/master/src/onelogin/saml2/response.py#L208
[2] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java#L394
[3] https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/SAML2LoginResponseBuilder.java#L195

Cheers,
Dmitry Telegin

Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Thu, 2019-05-23 at 21:39 -0700, adam scislowicz wrote:
> Summary: I am building a SAML authentication system using Keyloack as the
> IDP, and the python3-saml module to implement the SP. See configuration
> outline below.
> 
> I can successfully initiate via IDP or SP. If SP I will be redirected to
> the IDP. The IDP will then redirect me to the SP's ACS binding and I
> observe the following logs from the IDP and SP respectively. The following
> log from python3-saml sticks out
> 
> 'http://10.0.0.3:9082/metadata/ is not a valid audience for this Response'
> 
> IDP LOGS
> 
> [org.keycloak.services.managers.AuthenticationSessionManager] (default
> task-3) Found AUTH_SESSION_ID cookie with value
> 65545797-a5c8-415b-9b79-f0bdcf706743.nac-idp
> [org.keycloak.services.util.CookieHelper] (default task-3) {1} cookie found
> in the requests header
> [org.keycloak.services.util.CookieHelper] (default task-3) {1} cookie found
> in the cookies field
> [org.keycloak.services.managers.AuthenticationSessionManager] (default
> task-3) Found AUTH_SESSION_ID cookie with value
> 65545797-a5c8-415b-9b79-f0bdcf706743.nac-idp
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-3)
> getUserSessionWithPredicate(65545797-a5c8-415b-9b79-f0bdcf706743): remote
> cache not available
> [org.keycloak.protocol.AuthorizationEndpointBase] (default task-3) Sent
> request to authz endpoint. We don't have root authentication session with
> ID '65545797-a5c8-415b-9b79-f0bdcf706743' but we have
> userSession.Re-created root authentication session with same ID. Client is:
> nac-lander . New authentication session tab ID: cfS0YI4bjUk
> [org.keycloak.authentication.AuthenticationProcessor] (default task-3)
> AUTHENTICATE
> [org.keycloak.authentication.AuthenticationProcessor] (default task-3)
> AUTHENTICATE ONLY
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> processFlow
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> check execution: auth-cookie requirement: ALTERNATIVE
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> authenticator: auth-cookie
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> invoke authenticator.authenticate: auth-cookie
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> authenticator SUCCESS: auth-cookie
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> check execution: auth-spnego requirement: DISABLED
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> execution is processed
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> check execution: identity-provider-redirector requirement: ALTERNATIVE
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> Skip alternative execution
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> check execution: null requirement: ALTERNATIVE
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> Skip alternative execution
> [org.keycloak.services.managers.AuthenticationSessionManager] (default
> task-3) Removing authSession '65545797-a5c8-415b-9b79-f0bdcf706743'. Expire
> restart cookie: true
> [org.keycloak.events] (default task-3) type=LOGIN, realmId=master,
> clientId=nac-lander, userId=b615f353-672d-4b83-93ee-4f7ceddf543b,
> ipAddress=10.255.0.2, auth_method=saml, redirect_uri=
> http://10.0.0.3:9082/?acs, consent=no_consent_required,
> code_id=65545797-a5c8-415b-9b79-f0bdcf706743, username=admin
> [org.keycloak.services.managers.AuthenticationManager] (default task-3)
> Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/master/,
> max-age: -1
> [org.keycloak.services.managers.AuthenticationManager] (default task-3)
> Expiring remember me cookie
> [org.keycloak.services.managers.AuthenticationManager] (default task-3)
> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/master/
> 
> SP LOGS
> nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv | acs
> nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv | http://10.0.0.3:9082/metadata/ is
> not a valid audience for this Response
> ...
> nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv | {'https': 'off', 'http_host': '
> 10.0.0.3:9082', 'server_port': 9082, 'script_name': '/', 'get_data':
> MultiDict([('sso', '')]), 'post_data': MultiDict([])}
> nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv |
> <onelogin.saml2.auth.OneLogin_Saml2_Auth object at 0x7f2cfa62cda0>
> 
> CONFIGURATION OUTLINE
> 
> IDP: Keycloak
> 
> Client: nac-lander
> Master SML Processing URL: http://10.0.0.3:9082/
> IDP Initiated URL Name: 'nac-lander' :
> http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander
> Assertion Consumer Service URL: http://10.0.0.3:9082/?acs
> 
> SP: python3-saml
> {
> "strict": true,
> "debug": true,
> "sp": {
> "entityId": "http://10.0.0.3:9082/metadata/",
> "assertionConsumerService": {
> "url": "http://10.0.0.3:9082/?acs",
> "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> },
> "singleLogoutService": {
> "url": "http://10.0.0.3:9082/?sls",
> "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> },
> "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
> "x509cert": "",
> "privateKey": ""
> 
> },
> "idp": {
> "entityId": "http://10.0.0.3:8080/auth/realms/master/protocol/saml/",
> "singleSignOnService": {
> "url": "
> http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander",
> "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> },
> 
> "singleLogoutService": {
> "url": "
> http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander",
> "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> },
> 
> "x509cert": "<onelogin_connector_cert>"
> }}
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list