[keycloak-user] SAML not be able to proceed SP assertion

John Dennis jdennis at redhat.com
Tue May 28 16:17:34 EDT 2019


On 5/28/19 2:01 PM, Olivier Rivat wrote:
> Hi,
> 
> I am using Keycloak 6.0.1 and trying to connect to an external IDP using
> SAML V2.
> The steup has been working laster year with leycloak 3.4.3
> 
> I am able to authenticate against the IDP, and I can see teh SAM packet
> returned using teh SAML tracer.
> I haven't seen any dispcrency.
> 
> 
> But on keycloak, I obtain the message
> 
> We're sorry,
> Login timeout
> 
> with the following trace
> 
> 19:52:23,399 INFO [org.keycloak.saml.validators.ConditionsValidator]
> (default task-3) Assertion id18815101930494101523411623 is not addressed
> to this SP.

Have you validated the entityId of your configured realm in Keycloak and 
the entityId configured in the remote IdP are *identical*? That is the 
likely cause of "not addressed to this SP" error message.

> 19:52:23,399 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
> task-3) Assertion expired.

Have you checked the timestamps in the Assertion? Have you checked both 
servers are time synced and agree on the time?

> 19:52:23,400 WARN  [org.keycloak.events] (default task-3)
> type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=demo, clientId=null,
> userId=null, ipAddress=127.0.0.1, error=invalid_saml_response
> 
> I've just visited the code of ConditionsValidator.java, where the
> warning is issued, but cannot figure out what could be wrong.
> 
> Any idea of waht could be causing such an issue ?
> 
> 
> Regards,
> 
> Olivier Rivat
> 
> 
> 


-- 
John Dennis


More information about the keycloak-user mailing list