I'm trying to configure IdP initiated SSO with Google acting as an IdP in order to be able to authenticate to our web app, which supports SSO authentication via Keycloak, by clicking on custom SAML app in Google Workspace popup (basically it's just a link to https://accounts.google.com/o/saml2/initsso?idpid=[IDP ID]&spid=[SP ID]&forceauthn=false) but the problem I have is that the request to Keycloak (ACS URL) fails with the following error:
If I set Start URL field in Google SSO configuration, with for example my webapp's SSO login page, then it fails with another error:
Failing HTTP request:
URL: https://[KEYCLOAK DOMAIN]/realms/[REALM]/broker/[IDENTITY BROKER]/endpoint
Method: POST
Status Code: 400
Form Data: SAMLResponse=[LONG BASE64]&RelayState=[EMPTY OR Start URL VALUE]
This is the configuration I use for Google custom SAML app:
ACS URL: https://[KEYCLOAK DOMAIN]/realms/[REALM]/broker/[IDENTITY BROKER]/endpoint
Entity ID: https://[KEYCLOAK DOMAIN]/realms/[REALM]
Signed response: ON
Name ID format: EMAIL
Name ID: Basic Information > Primary email
Keycloak Identity Provider SAML Config:
Service Provider Entity ID: https://[KEYCLOAK DOMAIN]/realms/[REALM]
Single Sign-On Service URL: https://accounts.google.com/o/saml2/idp?idpid=[IDP ID]
Single Logout Service URL: https://accounts.google.com/o/saml2/idp?idpid=[IDP ID]
NameID Policy Format: Email
Principal Type: Subject NameID
HTTP-POST Binding Response: ON
HTTP-POST Binding for AuthnRequest: ON
Validate Signature: ON
Validating X509 Certificates: [...]
Keycloak Version: 17.0.0
So my question is what could be wrong with this setup and whether it needed to put some URL into Start URL field?
Also do I need to configure a separate Keycloak client as I couldn't find any relation between Google SAML / Keycloak IdP and Keycloak client configurations?
UPDATE:
Network recording in HAR format
Related
I'm trying to set up SAML integration between Skyspark as service provider and keycloak as Identity Provider. I have done below,
Copy Skyspark SAML metadata xml and created a client in keyclaok with the xml file
Get the metdata URL from keycloak and added into the Skyspark SAML SSO
When I access skyspark it redirects to keycloak login page and showing an error Invalid requester. The backend has below errors,
ERROR [org.keycloak.protocol.saml.SamlService] (default task-4) request validation failed: org.keycloak.common.VerificationException: SigAlg was null
I tried with disabling Client Signature Required, It shows me the login page, But after successful authentication skyspark shows up SAML Authentication Failed. I see there is SAML response in the browser network tab.
Is there any signature validation issue at both ends? Should I do any other config apart from above ?
I am getting success and responder status information too from ADFS, I checked for both of cases by turning on and off validate signature switch, setting PROXY_ADDRESS_FORWARDING=true and also to porto HTTP and https forwarding.
No one solution from above given worked well for me.
• You can try the settings in keycloak to be configured as below for it to act as a service provider to ADFS IdP so that you will be able to get the SAML requests to process correctly: -
‘ IdP URL: ${IDP_URL}/adfs/ls/
NameID Policy Format: persistent
WantAuthnRequestsSigned: true
WantAssertionsSigned: true
SignatureAlgorithm: RSA_SHA256
SAMLSignatureKeyName: CERT_SUBJECT ‘
Thus, when you configure the above settings in keycloak, also ensure that you update NameID policy in keycloak as SP and similarly custom settings on the IdP side as well to ensure NameID is sent back as ‘persistent’ in format.
Had the same error message with a misconfigured identity provider on Keycloak 15.
Try this:
Go to https://[ADFS server hostname]/federationmetadata/2007-06/federationmetadata.xml to download the ADFS server metadata
Find the X509Certificate fields marked 'signing' in the metadata
Go to your Keycloak Identity Provider definition -> settings -> 'Validating X509 Certificates' and insert the values from the metadata. Alternatively you can import the metadata file using Keycloak's import button when you create a new identity provider. Note: if the metadata contains multiple certificate values you can comma delimit them when you enter them in your keycloak identity provider definition.
I am trying to enable JWT authentication for my backend java microservice which is deployed locally and all the requests to the microservice is gated through WSO2 apim 2.6 .The JWT token provider is used as WSO2 IS 5.6 .
I have placed all required configurations both at WSO2 IS and WSO2 apim on my machine.Since both are on same machine I have configured an offset of 1 too.
I created a fresh user in apim store and used it to create application and subscribe api for the same user.The Token type configured is JWT .I used Postman as client for fetching the access token and the access token gets fetched as expected.Thereafter when I use the same token to access the required resource through api gateway it gives me back "Unclassified Authentication Failure" with code as "0" and description as "Access failure for API: /notification/1.0, version: 1.0 status: (0) - Unclassified Authentication Failure"
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>0</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Access failure for API: /notification/1.0, version: 1.0 status: (0) - Unclassified Authentication Failure</ams:description>
</ams:fault>
I am expecting the resource to get created as it is a post request via WSO2 apim to backend service.Please share any available insights on this
The token type JWT can only be used with api manager micro-gateways. You create OAuth application and try using the JWT grant type for it. You can find more information about the JWT grant type in
https://docs.wso2.com/display/AM260/JWT+Grant#JWTGrant-JWTBearerGrant
Using wso2 api manager. I cannot publish an existing SOAP service that has a basic auth (in the back end). The publisher interface let you insert the wsdl location, but obviously it requires a basic auth (in fact i have a 401 error in the log).
I tried to put username and password in the url like https://username:pwd#server... but it does not work.
Thank you
How to configure okta developers application for single log out
Single Logout URL
SP Issuer
Signature Certificate
Any one please help me how to configure it . how to generate Signature Certificate and sp issuer???
Useing "SIGN ON" Tab(in Okta application) you will get this details.
using "View Setup intruction" button you can fetch this details. This link provides following attributes:
Identity Provider Single Sign-On URL:
Identity Provider Issuer:
metadata to your SP provider:
X.509 Certificate:
If you are using Rails you can use Omnioth-saml gem
For issuer field you can reffer this
References:
https://github.com/onelogin/ruby-saml-example
http://developer.okta.com/docs/guides/setting_up_a_saml_application_in_okta.html