[keycloak-user] Keycloak 7.0 SAML IDP initiated flow
Hynek Mlnarik
hmlnarik at redhat.com
Wed Oct 9 05:22:30 EDT 2019
The IdP-initiated flow mandates specifying the client application. From the
responses, it looks like being sent to "
http://localhost:8180/auth/realms/dev/broker/appsaml54/endpoint" which
lacks clients/{saml-client-id} part used for client specification. Please
check [1] for further info how to set it up.
[1]
https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated-login
On Wed, Oct 9, 2019 at 1:48 AM abhijeet chauhan <abhichow07 at gmail.com>
wrote:
> Hi,
>
> We have couple of applications integrated with Keycloak as Oidc clients.
> Now we are using SAML brokers (Identity Providers under KC). SP initiated
> flow is working well such that app (oidc client) -> KC -> SAML IDP flow is
> working well.
> However when doing IDP initiated flow its not working as expected. I am
> testing with samltest.id and getting below error -
> 2019-10-08 19:12:50,515 TRACE [org.keycloak.saml.common] (default task-1)
> [Ref id=null:uri=#_ce8762784368ec6b6d323aedffa16001]validity status:true
> 2019-10-08 19:12:50,519 DEBUG [org.keycloak.saml.common] (default task-1)
> Verification failed for key null:
> javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a
> validation key
> 2019-10-08 19:12:50,519 TRACE [org.keycloak.saml.common] (default task-1)
> the keyselector did not find a validation key:
> javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a
> validation key
> at
>
> org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:558)
> at
>
> org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:264)
> at
>
> org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateUsingKeySelector(XMLSignatureUtil.java:519)
> at
>
> org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateSingleNode(XMLSignatureUtil.java:483)
> at
>
> org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil.isSignatureValid(AssertionUtil.java:292)
> at
>
> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:390)
> at
>
> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:512)
> at
>
> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:249)
> at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:164)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:517)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:406)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:370)
> at
>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:372)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:344)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
> at
>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
> at
>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> at
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> at
>
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> at
>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
>
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
>
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
>
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> at
>
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
>
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> at
>
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
>
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
>
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
>
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
>
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
>
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at
>
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at
>
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at
>
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> at
>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at
>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at
>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at
>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> at
>
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at
>
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
> at
>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
> at
>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
> at java.lang.Thread.run(Thread.java:748)
>
> Now to test if end to end flow works, i disabled the SAML assertion
> validation on KC and then i got below error -
>
> 2019-10-08 19:19:46,222 TRACE [org.keycloak.saml.common] (default task-2)
> Set Attribute Namespace=
>
> http://www.w3.org/2000/xmlns/::Qual=:xmlns:ec::Value=http://www.w3.org/2001/10/xml-exc-c14n#
> 2019-10-08
> <http://www.w3.org/2000/xmlns/::Qual=:xmlns:ec::Value=http://www.w3.org/2001/10/xml-exc-c14n#2019-10-08>
> 19:19:46,223 TRACE [org.keycloak.saml.common] (default task-2)
> Creating an Attribute Namespace=:Algorithm
> 2019-10-08 19:19:46,238 DEBUG [org.keycloak.saml.common] (default task-2)
> org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant:
> 2019-10-08T23:19:46.238Z
> 2019-10-08 19:19:46,238 DEBUG
> [org.keycloak.saml.validators.ConditionsValidator] (default task-2)
> Evaluating Conditions of Assertion _aa9bf8d729ea9129247b16a5e8a00a43.
> notBefore=2019-10-08T23:16:40.378Z, notOnOrAfter=2019-10-08T23:21:40.378Z,
> updatedNotBefore: 2019-10-08T23:16:40.378Z,
> updatedOnOrAfter=2019-10-08T23:21:40.378Z, now: 2019-10-08T23:19:46.238Z
> 2019-10-08 19:19:46,239 DEBUG
> [org.keycloak.saml.validators.ConditionsValidator] (default task-2)
> Assertion _aa9bf8d729ea9129247b16a5e8a00a43 validity is VALID
> 2019-10-08 19:19:46,240 WARN [org.keycloak.events] (default task-2)
> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=dev, clientId=null,
> userId=null, ipAddress=127.0.0.1, error=invalidRequestMessage
> 2019-10-08 19:19:46,240 ERROR
> [org.keycloak.services.resources.IdentityBrokerService] (default task-2)
> invalidRequestMessage
>
> Attaching the log file first part shows when SAML signature validation is
> enabled on KC and second part is when SAML signature validation is disabled
> in KC.
>
> Any pointers will help.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list