[keycloak-user] SAML not be able to proceed SP assertion
Olivier Rivat
orivat at janua.fr
Tue May 28 17:15:38 EDT 2019
Hi,
This was a mismatch in the enityID.
Tkx a lot.
regards,
Olivier
Le 28/05/2019 à 22:17, John Dennis a écrit :
> On 5/28/19 2:01 PM, Olivier Rivat wrote:
>> Hi,
>>
>> I am using Keycloak 6.0.1 and trying to connect to an external IDP using
>> SAML V2.
>> The steup has been working laster year with leycloak 3.4.3
>>
>> I am able to authenticate against the IDP, and I can see teh SAM packet
>> returned using teh SAML tracer.
>> I haven't seen any dispcrency.
>>
>>
>> But on keycloak, I obtain the message
>>
>> We're sorry,
>> Login timeout
>>
>> with the following trace
>>
>> 19:52:23,399 INFO [org.keycloak.saml.validators.ConditionsValidator]
>> (default task-3) Assertion id18815101930494101523411623 is not addressed
>> to this SP.
>
> Have you validated the entityId of your configured realm in Keycloak
> and the entityId configured in the remote IdP are *identical*? That is
> the likely cause of "not addressed to this SP" error message.
>
>> 19:52:23,399 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
>> task-3) Assertion expired.
>
> Have you checked the timestamps in the Assertion? Have you checked
> both servers are time synced and agree on the time?
>
>> 19:52:23,400 WARN [org.keycloak.events] (default task-3)
>> type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=demo, clientId=null,
>> userId=null, ipAddress=127.0.0.1, error=invalid_saml_response
>>
>> I've just visited the code of ConditionsValidator.java, where the
>> warning is issued, but cannot figure out what could be wrong.
>>
>> Any idea of waht could be causing such an issue ?
>>
>>
>> Regards,
>>
>> Olivier Rivat
>>
>>
>>
>
>
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
More information about the keycloak-user
mailing list