[keycloak-user] SAML Idp initiated login / sp initiated login

Manuel Waltschek manuel.waltschek at prisma-solutions.at
Thu Nov 28 10:03:19 EST 2019


Hi,

I am trying to setup Keycloak SAML with a third party IdP.
________________________________

Setup:

Keycloak-Server Version

4.8.3.Final

Wildfly Version

10.1.0.Final

Wildfly Adapter Version

keycloak-saml-wildfly-adapter-dist-4.8.3.Final



________________________________
I have followed these instructions:
IDP Initiated Login

IDP Initiated Login is a feature that allows you to set up an endpoint on the Keycloak server that will log you into a specific application/client. In the Settings tab for your client, you need to specify the IDP Initiated SSO URL Name. This is a simple string with no whitespace in it. After this you can reference your client at the following URL: root/auth/realms/{realm}/protocol/saml/clients/{url-name}

The IDP initiated login implementation prefers POST over REDIRECT binding (check saml bindings<https://www.keycloak.org/docs/latest/server_admin/index.html#_saml> for more information). Therefore the final binding and SP URL are selected in the following way:

  1.  If the specific Assertion Consumer Service POST Binding URL is defined (inside Fine Grain SAML Endpoint Configuration section of the client settings) POST binding is used through that URL.
  2.  If the general Master SAML Processing URL is specified then POST binding is used again throught this general URL.
  3.  As the last resort, if the Assertion Consumer Service Redirect Binding URL is configured (inside Fine Grain SAML Endpoint Configuration) REDIRECT binding is used with this URL.

If your client requires a special relay state, you can also configure this on the Settings tab in the IDP Initiated SSO Relay State field. Alternatively, browsers can specify the relay state in a RelayState query parameter, i.e. root/auth/realms/{realm}/protocol/saml/clients/{url-name}?RelayState=thestate.

When using identity brokering<https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker>, it is possible to set up an IDP Initiated Login for a client from an external IDP. The actual client is set up for IDP Initiated Login at broker IDP as described above. The external IDP has to set up the client for application IDP Initiated Login that will point to a special URL pointing to the broker and representing IDP Initiated Login endpoint for a selected client at the brokering IDP. This means that in client settings at the external IDP:

  *   IDP Initiated SSO URL Name is set to a name that will be published as IDP Initiated Login initial point,
  *   Assertion Consumer Service POST Binding URL in the Fine Grain SAML Endpoint Configuration section has to be set to the following URL: broker-root/auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id}, where:
     *   broker-root is base broker URL
     *   broker-realm is name of the realm at broker where external IDP is declared
     *   idp-name is name of the external IDP at broker
     *   client-id is the value of IDP Initiated SSO URL Name attribute of the SAML client defined at broker. It is this client, which will be made available for IDP Initiated Login from the external IDP.

Please note that you can import basic client settings from the brokering IDP into client settings of the external IDP - just use SP Descriptor<https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker_saml_sp_descriptor> available from the settings of the identity provider in the brokering IDP, and add clients/client-id to the endpoint URL.

________________________________
Configuration Issues

There are following cases that I can't get my head around:


  *   If I leave Assertion Consumer Service POST Binding URL in the Fine Grain SAML Endpoint Configuration blank, the IdP initiated login works, but the sp-initiated login does not work (no matter if I directly browse to myapp/context url or to https://host/auth/realms/myrealm/protocol/saml/clients/myapp
  *   If I put broker-root/auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id} in Assertion Consumer Service POST Binding URL, an IdP initiated login results in invalidFederatedIdentityActionMessage:



ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-300) validation failed: org.keycloak.common.VerificationException: Invalid signature on document

        at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignatureSamlProtocolUtils.java:83)

        at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.verifySignature(SAMLEndpoint.java:557)

        at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:495)

        at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:244)

        at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:1 82)

This is metadata in the external IdP:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://mybroker/auth/realms/MYREALM">
    <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <KeyDescriptor use="signing">
          <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#<http://www.w3.org/2000/09/xmldsig>">
            <dsig:KeyName>*****</dsig:KeyName>
            <dsig:X509Data>
              <dsig:X509Certificate>*****</dsig:X509Certificate>
            </dsig:X509Data>
          </dsig:KeyInfo>
        </KeyDescriptor>
        <KeyDescriptor use="encryption">
          <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#<http://www.w3.org/2000/09/xmldsig>">
            <dsig:KeyName>*****</dsig:KeyName>
            <dsig:X509Data>
              <dsig:X509Certificate>*****</dsig:X509Certificate>
            </dsig:X509Data>
          </dsig:KeyInfo>
        </KeyDescriptor>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mybroker/auth/realms/MYREALM/broker/myidp/endpoint"/<https://mybroker/auth/realms/MYREALM/broker/myidp/endpoint>>
        <AssertionConsumerService
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mybroker/auth/realms/MYREALM/broker/myidp/endpoint/clients/myapp"
                index="1" isDefault="true" />
    </SPSSODescriptor>
</EntityDescriptor>

________________________________
Questions:


  *   If you set up Idp Initiated login, should the SP initiated login work aswell?
  *   If yes, where does the AssertionConsumerServiceURL in the AuthnRequest come from? (shouldn't it reference the same url: https://mybroker/auth/realms/MYREALM/broker/myidp/endpoint/clients/myapp (because it doesn't)
  *   Does the logout URL have to reference the client SSO id aswell?
  *   Is there more Information concerning FINE GRAIN SAML ENDPOINT CONFIGURATION?





Best regards and thank you in advance,



[Logo]

Manuel Waltschek BSc.

+43 660 86655 47<tel:+436608665547>
manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at>
https://www.prisma-solutions.com

PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6418 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20191128/1b86afd7/attachment.png 


More information about the keycloak-user mailing list