While trying to achieve pure Keycloak IDP initiated sso to achieve this flow
"Login to keycloak realm ==> Go to applications ==> click on application name and application launches because you are already logged in to the keycloak IDP),
I faced several issues while trying to achieve the above flow, so I gave that up, and now trying to achieve Keycloak brokered sso:
(Browse to the specific Keycloak broker URL ==> Get redirected to the login page of the Keycloak IDP ==> this does a POST of Saml assertion to my application URL ==> Application launches because the user is already logged in / authenticated with IDP).
I am using one instance of Keycloak as IDentity provider (keycloak3) and another instance as Service Provider (keycloak4).
I am following the steps from this existing thread.
idp initiated sso using keycloak
########## Start Steps followed ##########
a. create a saml client at keycloak3 (http://localhost:8083) under realm3. With IdP initiated SSO Name set as some name without spaces) --> say, sso.
b. In the Fine Grain SAML Endpoint Configuration section of the above client, for Assertion Consumer Service (ASC) POST Binding URL --> http://localhost:8084/realms/realm4/broker/saml/endpoint/clients/keycloak4samlclient ( https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated-login)
c. click on above created saml client --> installation --> Export SAML Metadata IDPSSODescriptor and save as saml-metadata.xml ( say ).
d. Add a user in keycloak3, say user3/user#456
e. At the keycloak4(http://localhost:8084), create a IDP ( identity providers tab with name saml (refer ASC url). Import the above exported saml-metadata.xml and save.
f. At the keycloak4, create a saml client and in the IDP initiated SSO url give name as keycloak4samlclient
g. In the browser hit, http://localhost:8083/realms/realm3/protocol/saml/clients/sso
Prompt for username/pwd, give credentials for user3
########## End Steps followed ##########
My application is the 'java-saml' application deployed on local tomcat at 8080.
https://github.com/SAML-Toolkits/java-saml/tree/master/samples/java-saml-tookit-jspsample
After I complete all the steps, and browse this URL
http://localhost:8083/realms/realm3/protocol/saml/clients/sso
I am getting "client not found" error. I spent the entire day troubleshooting this one, could not find any leads. Can someone please let me know if you have faced this, and whether you have any solution I can try? This is the screenshot of error.
Error Message: Client not found
Related
I am getting an error when I try to login to Keycloak by using it as a broker.1 I am using credentials from another keycloak instance to login. So far, I am redirected to the correct login page but after entering my credentials I receive an error.
I have set up Keycloack Identity Brokering on computer 1 by following the basic steps.2 I have used the generated redirection URI of the broker to register a new client on computer 2 in another Keycloak instance.3 The client configuration present on computer 2 4 is then used to fill in Authorization URL, Token URL, Client ID and Client Secret on the Identity Broker on Computer 1. 5
I may be leaving important fields missing. Pictures are attached for reference.
I have changed some settings to get the broker to work with the other Keycloak instance. I am now sending client secret as basic auth with signed verification off. I have also enabled back-channel logout. Hope this helps someone else.
I fixed this problem by regenerating the client secret on the identity provider side and using it on keycloak. The keycloak realm data import was not working very well for me apparently.
In my case I needed to empty the hosted domain field in the "Identity providers" configuration of my Google identity provider in Keycloak.
See also:
Keycloak Google identity provider error: "Identity token does not contain hosted domain parameter"
What I want to do is this:
I have keycloak integrated with my application. So when my app is launched , keycloak login page is shown to user. Now , I am trying to provide an option to login with PingFedrate. So a button to login with PingFed appears(once a new SAML provider is configured in keycloak). On PingFedrate I tried to integrate SP inititated SSO:
I added a new SP connection and there I configured it as SSP initiated SSO. (It forced me to configure SOAP Authentication , where I selected basic and configured random username password). Then I downloaded metatdata.xml from this SP and imported in keycloak which autofilled the login url as : https://myserver:9031/idp/SSO.saml2 (i.e. without client id). After this when user clickon Login with PingFed - PingFed gives following error:
Unexpected System Error Sorry for the inconvenience. Please contact
your administrator for assistance and provide the reference number
below to help locate and correct the problem.
I found the solution to this.
Firstly, we need to add SP inititated SSO in Pingfed for keycloak.
Secondly, the reason I could not make SP inititated SSO work was that keycloak's entityId should be same as Pingfed SP connection's Partner's Entity Id / Connection Id.
Keycloak, by default keeps entity id equal to url of keyloak server containing your realm. E.g
https://(keycloak-server)/auth/realms/(realm-name)
(and I could not find a way to change it through Keycloak UI)
You need to enter this URL in Pingfed.
To avoid adding this manually, you can download the keycloak config from download export tab of identity provider.
And on Pingfed , import this file.
On a side note, though I was importing it earlier, I was changing value of Partenr id to some other name as I was not aware of above restriction until I started decoding the SAML tokens in request.
I have created a SAML 2.0 App on okta and have finished all the configurations. I then attempt to do an authorization from my application, by doing a redirect to the okta idp ->
http://www.okta.com/(okta created token)?SAMLRequest=(encoded saml xml)
The redirect returns a 404. When I go to my admin okta console I don't see any logs for the failed attempt, which i guess makes sense since it is returning a 404, but i don't know how to figure out what is causing the 404.
Is there a way to figure out what is causing the issue?
Install SAML tracer browser extensions and try it again to confirm the SAML Response is being decoded correctly.
To address your question "Is there a way to figure out what is causing the issue?", I have repeated your SAML 2.0 authentication steps suggested by your post.
The following responses and answer will help you to "figure out what is causing the issue".
(1) Quote your post "I have created a SAML 2.0 App on okta and have finished all the configurations. I then attempt to do an authorization from my application, by doing a redirect to the okta idp ->
http://www.okta.com/(okta created token)?SAMLRequest=(encoded saml xml)"
Response:
(I) I have created a SAML 2.0 SP App on okta and have finished all the configurations as you did.
(II) I then attempt to do an authorization from my SAML SP application, by doing a redirect to the okta idp as you did.
(III) Submit the username/password of local Okta user account (e.g., john.doe#example.com) to proceed with SAML authentication.
(2) Quote your post "The redirect returns a 404. When I go to my admin okta console I don't see any logs for the failed attempt, which i guess makes sense since it is returning a 404, but i don't know how to figure out what is causing the 404."
Response:
(I) In my experiment, the redirect returns the following error message instead of a 404 error.
Sorry, you can't access SAML 2.0 SP demo because you are not assigned this app in Okta.
If you're wondering why this is happening, please contact your administrator.
If it's any consolation, we can take you to your Okta home page.
(II) Then "I go to my admin okta console" as suggested by your post,
navigate to Reports > System Log, I saw the log below.
Event Info Targets
User attempted unauthorized access to app SAML 2.0 SP demo (AppInstance)
FAILURE :
(3) Quote your question "Is there a way to figure out what is causing the issue?"
Answer:
I summarize the four (4) potential root causes of your SAML authentication failure. The top #1 potential root cause is that you uploaded the wrong okta IdP metadata file into your SAML 2.0 SP app server (see the detailed description below).
(I) Potential Issue #1:
The root cause of my issue is that my local okta user account was NOT assigned to access this SAML 2.0 App.
Resolution:
(a) Navigate to Applications > SAML 2.0 App, then click Assign > Assign to People,
(b) On the pop-up dialog box, select the local Okta user accounts (e.g., John Doe (john.doe#example.com)), click Assign, click Save and Go Back, then click Done.
(c) Repeated the above SAML 2.0 authentication steps again, I was redirected back and logged in to SAML 2.0 App successfully.
(II) Potential Issue #2:
Three (3) potential root causes of this issue are that
(a) you did NOT fill in all the correct SAML SP information of your SAML 2.0 SP app on okta.
(b) or you did NOT upload the okta IdP metadata file into your SAML 2.0 SP app server
(c) or you uploaded the wrong okta IdP metadata file into your SAML 2.0 SP app server (this is the highest probability for bringing your 404 failure, because unlike most of SAML IdPs which create only one IdP metadata file for all SAML SP apps, okta create different IdP metadata files for different SAML SP apps).
Resolution:
Regarding to root cause (II.a): You need to ensure that the following SAML SP information should be the exactly the same as the SAML SP metadata of your SAML 2.0 SP app when you create new SAML 2.0 app.
Single sign on URL should come from your SAML SP metadata, e.g.,
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://your-saml-sp-app-URL/SAML2/POST" index="1"/>
Audience URI (SP Entity ID) should also come from your SAML SP metadata, e.g.,
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_random-string" entityID="https://your-saml-sp-app-URL/SAML2/Metadata">)
The sample SAML Settings of SAML 2.0 SP app on okta
Navigate to Applications > your SAML 2.0 App > general > SAML Settings
Single Sign On URL https://your-saml-sp-app-URL/SAML2/POST (i.e., your SAML SP AssertionConsumerService)
Recipient URL https://your-saml-sp-app-URL/SAML2/POST (i.e., your SAML SP AssertionConsumerService)
Destination URL https://your-saml-sp-app-URL/SAML2/POST (i.e., your SAML SP AssertionConsumerService)
Audience Restriction https://your-saml-sp-app-URL/SAML2/Metadata (i.e., your SAML SP entity ID)
Default Relay State
Name ID Format Unspecified
Response Signed
Assertion Signature Signed
Signature Algorithm RSA_SHA256
Digest Algorithm SHA256
Assertion Encryption Unencrypted
SAML Single Logout Disabled
authnContextClassRef PasswordProtectedTransport
Honor Force Authentication Yes
SAML Issuer ID http://www.okta.com/${org.externalKey}
Regarding to root causes (II.b) and (II.c): You need to upload the correct okta IdP metadata into your SAML 2.0 SP app server.
Note that okta creates different okta IdP metadata files for your different SAML 2.0 SP apps.
Navigate to Applications > your SAML 2.0 App > Sign On
Identity Provider metadata is available if this application supports dynamic configuration.
Click Identity Provider metadata to download the okta IdP metadata for your SAML 2.0 SP app.
Log in to your SAML 2.0 SP app, upload the okta IdP metadata into your SAML 2.0 SP app, and then complete the configuration to store the okta IdP information on your SAML 2.0 SP app server.
Scenario:
1) Browser(User) requests resource from Service Provider (SP).
2) SP Redirects (with SAML Request) to Identity Provider (IdP).
3) Since it is first login, User gives the (IdP) his/her valid credentials.
4) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page.
After creation of user, If I try to authenticate it works as expected
but when I change user data on idp, and try after cleaning complete
browser data in any of browser (firefox, chrome) it shows only old
assertion data in SAML response on the way to idp to sp.
Even I have deleted user on idp and created again with same email id
with different user data it shows only old user data in SAML response.
There is nothing exist on browser side even cleaned cached data ,
cookies, and re-installed browser too.
I have gone through : Are SAML tokens cache/stored anywhere on the browser?
Not helped.
I there any settings on idp (OpenAM) side to resolve it? (I have unchecked Disable Federation persistence if NameID Format is unspecified:)
idp: OpenAM-12.0.0, sp: redmine SAML ominiauth
So what I miss here, I don't get it.
I got a solution by exploring the stuff at OpenAM side.
There is no issue with SAML plugin. It is OpenAM which cached SAML assertion attributes so every time it takes old assertion with SAML response.
To resolve issue need to follow below steps in OpenAM:
1) Select Federation-Select SP (from entity provider list)-Assertion content
-Check "Disable Federation persistence if NameID Format is unspecified:"
2) If above case won't work then follow this process:
-Select configuration-Servers and Sites-Default Server Settings:
-Add following properties:
-com.sun.identity.idm.cache.entry.expire.enabled=true
-com.sun.identity.idm.cache.entry.user.expire.time=10
-com.sun.identity.idm.cache.entry.default.expire.time=10
SSOCircle provides a ready to use Identity Provider according to their website. I wanted to simulate SAML SSO and integrate it in sample Liberty for Java application in bluemix.
What I did so far:
Downloaded SSOCircle Public IDP Metadata from "Manage Metadata". Uploaded it into the bluemix SSO service via the upload file button and entered https://idp.ssocircle.com/sso in the textbox under "Step 1" in the SAML Enterprise setup.
Downloaded SAML metadata under "Step 2" in the SAML Enterprise setup and imported it in SSOCircle. The FQDN that I used is: https://ssocruzgstest-8iotczj2sk-cabc.iam.ibmcloud.com.
Edit** Changed URL to https://idp.ssocircle.com/sso/idpssoinit?metaAlias=/ssocircle&spEntityID=https://ssocruzgstest-8iotczj2sk-cabc.iam.ibmcloud.com/idaas/mtfim/sps/idaas/saml20 as recommended by Martin
After integrating. I pointed my browser to https://cruzgsjava1.mybluemix.net then clicked "Sign in with SAML Enterprise".
I got redirected to https://idp.ssocircle.com/sso/UI/Login?module=peopleMembership&goto=https%3A%2F%2Fidp.ssocircle.com%2Fsso%2Fidpssoinit%3FmetaAlias%3D%2Fssocircle%26spEntityID%3Dhttps%3A%2F%2Fssocruzgstest-8iotczj2sk-cabc.iam.ibmcloud.com%2Fidaas%2Fmtfim%2Fsps%2Fidaas%2Fsaml20. I logged in and encountered an error
Your URL is wrong. I have not seen clear documentation on ssocircle.com, but I found some samples from which I could deduce the (hopefully) right URL pattern. This is what I use for testing:
https://idp.ssocircle.com/sso/idpssoinit?metaAlias=/ssocircle&spEntityID=<your SP entity ID>;
You can find out your SP entity ID by downloading the service provider metadata in step 2 and inspect the attribute "entityID" of the root element "md:EntityDescriptor".
The SSOCircle URL is correct. The error happens at the bluemix site. According to IBM knowledge center FBTSML236E says that the trace log will indicate the operation failed.
Most probably the validation of the assertion signature is failing. SSOCircle signing certificate itself is not self-signed but is signed by its own CA.
It could be the case that bluemix is validating the whole certificate chain and for that reason needs the CA certificate. You can get it from the SSOCircle web site after logging in and then under 'My certificate status' you'll find a link to the CA certificate.
If that does not solve the problem. Check with IBM how the SAML response is validated. SSOCircle public IDP by default signs the SAML assertion. It could potentially be that bluemix has different requirements (e.g. signing the SAML response)