[keycloak-user] SAML not be able to proceed SP assertion
John Dennis
jdennis at redhat.com
Tue May 28 16:17:34 EDT 2019
On 5/28/19 2:01 PM, Olivier Rivat wrote:
> Hi,
>
> I am using Keycloak 6.0.1 and trying to connect to an external IDP using
> SAML V2.
> The steup has been working laster year with leycloak 3.4.3
>
> I am able to authenticate against the IDP, and I can see teh SAM packet
> returned using teh SAML tracer.
> I haven't seen any dispcrency.
>
>
> But on keycloak, I obtain the message
>
> We're sorry,
> Login timeout
>
> with the following trace
>
> 19:52:23,399 INFO [org.keycloak.saml.validators.ConditionsValidator]
> (default task-3) Assertion id18815101930494101523411623 is not addressed
> to this SP.
Have you validated the entityId of your configured realm in Keycloak and
the entityId configured in the remote IdP are *identical*? That is the
likely cause of "not addressed to this SP" error message.
> 19:52:23,399 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
> task-3) Assertion expired.
Have you checked the timestamps in the Assertion? Have you checked both
servers are time synced and agree on the time?
> 19:52:23,400 WARN [org.keycloak.events] (default task-3)
> type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=demo, clientId=null,
> userId=null, ipAddress=127.0.0.1, error=invalid_saml_response
>
> I've just visited the code of ConditionsValidator.java, where the
> warning is issued, but cannot figure out what could be wrong.
>
> Any idea of waht could be causing such an issue ?
>
>
> Regards,
>
> Olivier Rivat
>
>
>
--
John Dennis
More information about the keycloak-user
mailing list