I am using Keycloak 5.0.0 as an identity broker. I have connected it to G Suite as a SAML app. I have connected other SAML apps to G Suite so I know the drill, and I imported the G Suite Metadata XML into SAML, so I am confident that the X.509 keys are correct, but for some reason, if I select "Validate Signature" in Keycloak, the validation fails. The log says
ERROR [org.keycloak.broker.saml.SAMLEndpoint] validation failed
WARN [org.keycloak.events] type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.10.2.1, error=invalid_signature
If I turn off "Signed Response" in G Suite or turn off "Want Assertions Signed" or "Validate Signature" in Keycloak then everything works, but I expect that is because Keycloak does not try to validate a signature in these situations (which of course is another bug when "Want Assertions Signed" and "Validate Signature" are on but "Signed Response" is off).
How do I fix this?
Turns out I was wrong about the meaning of "Signed Response". According to documentation from G Suite about setting up specific supported SAML apps, but not found in the "Set up your own custom SAML application" documentation, "Signed Response" does not mean what I thought it meant.
When the Signed Response checkbox is unchecked, only the assertion is signed. When the Signed Response checkbox is checked, the entire response is signed.
I verified (by changing the X.509 key and observing the results) that with "Signed Response" unchecked and "Want Assertions Signed" and "Validate Signature" turned on, Keycloak is validating that the assertions are signed. So that is the correct, valid, and secure configuration.
Related
This question is in the area of SAML based IDP initiated SSO. As a POC, I have two keycloak instances, say keycloak1 and keycloak2. I would want to achieve the below :
Authentication would be done at keycloak1
keycloak1 then directs to keycloak2 to access an keycloak2 client application.
To do so,
a) create a saml client at keycloak1 under realm1. With IdP initiated SSO Name set as some name without spaces) --> say, keycloakclientsaml. In the Fine Grain SAML Endpoint Configuration section, for Assertion Consumer Service POST Binding URL --> http://<keycloak2:port>/auth/realms/realm2/broker/saml/endpoint/clients/keycloakclientsaml
( https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated-login)
b) click on above created saml client --> installation --> Export SAML Metadata IDPSSODescriptor and save as saml-metadata.xml ( say ).
c) Add a user in keycloak1, say user1/user#123
d) At the keycloak2, create a IDP ( identity providers tab). Import the above exported saml-metadata.xml and save.
e) In the browser hit, http://<keycloak1>/auth/realms/realm1/protocol/saml/clients/keycloakclientsaml
Prompt for username/pwd, give credentials for user1
f) URL in the browser now changes to
http://<keycloak2:port>/auth/realms/realm2/broker/saml/endpoint/clients/keycloakclientsaml
At keycloak2 instance, I get the error as :
09:20:46,775 INFO [org.keycloak.saml.validators.ConditionsValidator] (default task-6) Assertion ID_789213dd-24f9-425f-ae20-bcadef173bc6 is not addressed to this SP.
09:20:46,775 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-6) Assertion expired.
09:20:46,775 WARN [org.keycloak.events] (default task-6) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=realm2, clientId=null, userId=null, ipAddress=keycloak2, error=invalid_saml_response
Could someone help here.
Are the above given steps correct and complete.
What am I missing
If any other information is required, let me know. would be happy to provide.
Finally got it working.
So here is the answer to the above :
The error pasted above was related to Assertion expired. In my case, it was because of the clientid given in saml client of Keycloak1 was not recognized url of keycloak2. it should be pointing to the keycloak2 realm ( for example, http://<keycloak2:port>/realms/realm2
Then the condition section in the SAML response is VALIDATED at the keycloak2 broker idp.
(code : SAMLEndpoint.java --> handleLoginResponse method)
Leaving this thread here and for clarity the steps are given below in detail:
a) create a saml client at keycloak1 under realm1. With IdP initiated SSO Name set as some name without spaces) --> say, sso.
b) In the Fine Grain SAML Endpoint Configuration section of the above client, for Assertion Consumer Service (ASC) POST Binding URL --> http://<keycloak2:port>/auth/realms/realm2/broker/saml/endpoint/clients/keycloak2samlclient
( https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated-login)
b) click on above created saml client --> installation --> Export SAML Metadata IDPSSODescriptor and save as saml-metadata.xml ( say ).
c) Add a user in keycloak1, say user1/user#123
d) At the keycloak2, create a IDP ( identity providers tab with name saml (refer ASC url). Import the above exported saml-metadata.xml and save.
e) At the keycloak2, create a saml client and in the IP initiated SSO url give name as keycloak2clientsaml
f) In the browser hit, http://<keycloak1>/auth/realms/realm1/protocol/saml/clients/sso
Prompt for username/pwd, give credentials for user1
I am using Shibboleth SP for SAML authorization.
Recently IdP has changed the configuration and it now requires to sign the AuthRequest.
IdP's metadata has following parameter
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
WantAuthnRequestsSigned="true"><md:KeyDescriptor use="signing">
SP's shibboleth2.xml file had following tag
<ApplicationDefaults entityID="...."
REMOTE_USER="eppn persistent-id targeted-id email Email FirstName LastName NameID">
After IdP enforced AuthRequest signing, we changed our shibboleth2.xml file as following
<ApplicationDefaults entityID="..."
REMOTE_USER="eppn persistent-id targeted-id email
Email FirstName LastName NameID"
signing="true" encryption="true">
Basically, I added signing="true" and encryption="true".
After that the new Metadata generated has following attribute in tag
<md:SPSSODescriptor AuthnRequestsSigned="1"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
Earlier AuthnRequestsSigned="1" attribute was not present.
After this when I try to authenticate, it gives us following error,
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
<samlp:StatusMessage>Unable to verify the signature</samlp:StatusMessage>
</samlp:Status>
Question 1: Do I need to give IdP this new metadata?
Question 2: Any idea why this is happening?
Question 3: Do I need to change anything else in the configuration?
P.S. Before enforcing AuthRequest signing, it was working, so I don't think there is any other issue in configuration.
Here is the sample AuthRequest which goes
<samlp:AuthnRequest
AssertionConsumerServiceURL="https://...SP-host.../Shibboleth.sso/SAML2/POST"
Destination="https://...idp-host.../marrsso/idp/SSO.saml2"
ID="...some-id..." IssueInstant="2019-01-11T14:13:25Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://...entity-id.../shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
I believe signing info should go here as part of request. As http request, it goes as GET request, is that correct?
When I see the request in network, I can see the Signature going as query param
The status code of the request is '200'
It is not unusual to send the signature as part of the query string. Its like a pre-signed URL.
Just enabling "signing=true" on SP should not change the key that
was originally generated. So re-sending the metadata is not a
requirement. Check with IdP if the SP's metadata was originally
imported in full or did they just add relying-party and other basic end
points to integrate, that might work just fine if request signing is
not required.
If IdP is not able to verify the signature then they must be missing
the certificate from SP. To be sure compare the two metadata files
before and after enabling signing and encryption, they should
match(specially around certificates) but for the additional attribute
that you had already identified. Resend the metadata otherwise.
No other configuration changes are required in this case.
I'm using the sustainsys saml2 owin package, and I'm having problems with SP-initiated SLO. I'm new to the saml process, so there's a good chance I'm doing something wrong.
Our signout workflow is as follows:
User hits myapp.com/signout
myapp redirects to myapp.com/saml2/logout
The owin package generates a saml request and sends it to the Idp's slo route
The Idp responds with a successful saml response to the same url: myapp.com/saml2/logout
At this point, the owin package is generating another saml request to sign the user out of the idp. It would get stuck in an infinite redirect, if the Idp didn't halt the process.
Here's a snapshot of my network panel in chrome:
I'm using https://github.com/mcguinness/saml-idp as a development Idp, and here's a stub of my owin configuration:
I suspect I've misconfigured something or I'm using the saml2/logout route inappropriately, but I also find it odd that the owin package would generate another request when it gets a successful response.
Update 11.9.2018
Here's my verbose log starting from the logout process:
Expanded Saml2Url
AssertionConsumerServiceUrl: http://locala.foliotek.com/saml2/linuxdev/Acs
SignInUrl: http://locala.foliotek.com/saml2/linuxdev/SignIn
LogoutUrl: http://locala.foliotek.com/saml2/linuxdev/Logout
ApplicationUrl: http://locala.foliotek.com/
=================
Initiating logout, checking requirements for federated logout
Issuer of LogoutNameIdentifier claim (should be Idp entity id): http://myidentityprovider.com
Issuer is a known Idp: True
Session index claim (should have a value): http://Sustainsys.se/Saml2/SessionIndex: 1926000282
Idp has SingleLogoutServiceUrl: http://myidentityprovider.com/saml/slo
There is a signingCertificate in SPOptions: True
Idp configured to DisableOutboundLogoutRequests (should be false): False
=================
Expanded Saml2Url
AssertionConsumerServiceUrl: http://myserviceprovider.com/saml2/linuxdev/Acs
SignInUrl: http://myserviceprovider.com/saml2/linuxdev/SignIn
LogoutUrl: http://myserviceprovider.com/saml2/linuxdev/Logout
ApplicationUrl: http://myserviceprovider.com/
=================
Initiating logout, checking requirements for federated logout
Issuer of LogoutNameIdentifier claim (should be Idp entity id): http://myidentityprovider.com
Issuer is a known Idp: True
Session index claim (should have a value): http://Sustainsys.se/Saml2/SessionIndex: 1926000282
Idp has SingleLogoutServiceUrl: http://myidentityprovider.com/saml/slo
There is a signingCertificate in SPOptions: True
Idp configured to DisableOutboundLogoutRequests (should be false): False
=================
Expanded Saml2Url
AssertionConsumerServiceUrl: http://myserviceprovider.com/saml2/samltestid/Acs
SignInUrl: http://myserviceprovider.com/saml2/samltestid/SignIn
LogoutUrl: http://myserviceprovider.com/saml2/samltestid/Logout
ApplicationUrl: http://myserviceprovider.com/
=================
Initiating logout, checking requirements for federated logout
Issuer of LogoutNameIdentifier claim (should be Idp entity id): http://myidentityprovider.com
Issuer is a known Idp: False
Session index claim (should have a value): http://Sustainsys.se/Saml2/SessionIndex: 1926000282
Idp has SingleLogoutServiceUrl:
There is a signingCertificate in SPOptions: True
Idp configured to DisableOutboundLogoutRequests (should be false):
=================
Expanded Saml2Url
AssertionConsumerServiceUrl: http://myserviceprovider.com/saml2/linuxdev/Acs
SignInUrl: http://myserviceprovider.com/saml2/linuxdev/SignIn
LogoutUrl: http://myserviceprovider.com/saml2/linuxdev/Logout
ApplicationUrl: http://myserviceprovider.com/
=================
Http POST binding extracted message
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_d02d42fbb8ed00bbee02" InResponseTo="idf75b17a7713e4f698f891edf1fcca117" Version="2.0" IssueInstant="2018-11-09T16:44:01Z" Destination="http://myserviceprovider.com/saml2/linuxdev/logout"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://myidentityprovider.com</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI="#_d02d42fbb8ed00bbee02"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>X+93fiv6vuuy8sIhmFFxIVxNgAy/f1Zk62RRh/rn91I=</DigestValue></Reference></SignedInfo><SignatureValue>qXMlLe2fciQR6u7Ddx40RFI51IJ5r8A3m7X7mrgIMHBdFf2vypiCFxqOrEOKCSIqWzDUxVXujWyMQzO/zZtVyZlm6xXnb3lId0VDHLEIUT/8kyNsodzvzPIyTMaMMV/cmhQ3UZlYRv9BeyPswpkosFTn/xc6c+BX9z+w4AN4KDMFfYlTeu/uyDBa1u5zr/Ze6OXwP7///Mo/zdy2ZXyHJhia+yscWZ+Hrb49ekI9csJvuic0p6ttJPjS72tmEesGR1vLT0Y/5T+SqOVmmbmN8hZygRxrEwgfo9oNI+8BBC7aYK2PCtTZZFwoO3KsEEttQjxzKTbzja9s8XslGxfKkw==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDgzCCAmugAwIBAgIJALOc35pt94LuMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhNaXNzb3VyaTERMA8GA1UEBwwIQ29sdW1iaWExFTATBgNVBAoMDEZvbGlvdGVrIEluYzEMMAoGA1UEAwwDSWRwMB4XDTE4MTEwOTE1MDI0MVoXDTM4MTEwNDE1MDI0MVowWDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE1pc3NvdXJpMREwDwYDVQQHDAhDb2x1bWJpYTEVMBMGA1UECgwMRm9saW90ZWsgSW5jMQwwCgYDVQQDDANJZHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhX8PX+C/1orPpFnOIRy7UkrLU7YCq6DNzB5QSUzT366++ZCWFzx+Ub+HFxbR/htY/EAramlCNFawOSGS6mnWev/tiokGObXdMK6tAXyZZMc/u9Rg65EjM892Oep6gIEWgjnE+l7M8v84QOWqAl+GaeM8YZJKHXAZ+7MVMgkMWeYKrksvQdKrQjhyzqoLmBNL5yGBgEH1KEtFy0A0qYdiwdWptvaeWkTk6tp3kfminRaQ1bj/BmMwAWeDbE7EFkk7wF1ig4QhTINoVFQhPGa/+sPg+NuDNlGszDBV3fmfpHwPpjRr4zzoNyJnMvf3u1+C63c7DPSC+uKGvYlgeWbc/AgMBAAGjUDBOMB0GA1UdDgQWBBQvczxcOnaazyGJ8H3vi1vY6g24xDAfBgNVHSMEGDAWgBQvczxcOnaazyGJ8H3vi1vY6g24xDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAoMsoDnrEPCS+VIqVlnlbxxd4lx5AYMvUTZPugJ88+Jjp/1kkKbxWzbJBR1yl0v9quLoQ/u5XkYoSI3u/azydywpADlgsKHrL7Ger+ZU2pdSCK9LTbOP3gnginmPldB7LW6jxWxuEYadWLpYocEFU6Ua7XJUDOzMpO3SXxmhiyhvQC2PF0Q1uehNkwIpUP+9I9ulAXxjScyputgYjkWjiLYu+gcWYW6DmeWqJKyYR6XSwaa+QV4/UPupBmSc1Bx7BuF29+1RwJyTEI6Uz5wQe+lbzZ5ay3J3oa3lilwYg/HYq4mQzVucHEhQLsU9ZIfuGStMHX23sdzWuEBbcQgCCd</X509Certificate></X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status></samlp:LogoutResponse>
=================
Here's my info log from the logout process
Sending logout request to http://myidentityprovider.com
=================
Sending logout request to http://myidentityprovider.com
=================
Federated logout not possible, redirecting to post-logout and clearing local session
=================
Received logout response Microsoft.IdentityModel.Tokens.Saml2.Saml2Id, redirecting to http://myidentityprovider.com/saml/slo?SAMLRequest=fZJdS8MwFIbvB%2FsPJbeyNv3Y1oatOBhCYXrhxAvvYpKu0XzUnlT2803rJpugkJvz8bznPYesgGqVtGRnD7Z3j%2BKjF%2BCCo1YGyHdpjfrOEEtBAjFUCyCOkf3mfkeSEJO2s84yq9Al8z9CAUTnpDUoqLZrJHmRFuw1LnKcUpYt2JImC1rXOc94yuZpnaHgWXTggTXyvKcAelEZcNQ4n8JxPovjGS6e4gXJUjLPX1Cw9WtIQ91INc61JIpqq6R%2Fpj9y8RmOkRPvIbOaLPESR4P3CJRF5XQSBKtxFTIO68qThLKMKnrFjlgSnXVX0RV3ofTgL1Ftgzvbaer%2BPlEcxmNG8lk9thKhqVQbzjsBgErXCN4Py4GWrrlxjdUU3m4PQ9Pg52zge9yFgZbsvYA%2FSGW4OJZxkSwwxkmenIhf9enkJ3%2F1Ocov&RelayState=MnZ2DPYtc9cY8CkEaR5CRJDz&SigAlg=http:%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=LS0QmYpXX2utWqmEKQJmMeQukm%2FFFVUZCP8I0C7sIt1LklVK0NzuqrJgG9VGwO6uPBZObpZ%2FU9%2BZVddCoIGmg3FCKrhhW7hspsQNN%2FGqpf0QY3kxW%2Bt956TqgynW0yM4I9%2Fc7X%2F9Sy4keFu1uxihjemm%2BCNlZdRS71ch4SyG4YStmKZrWJns1T6H4m8d2eBK7O2KVn9iqwIh6OaV5S6obhpMH9gzx5Y01uc5fTm2gfdoExuVNsKbZB8ycois1MEEz7Uox5zRm09gEfCNMHKf2Dp%2Fwd7GmQoK84VvPoNrxl5047WxfKxkhQPTRFbM5h50peFjOlnFN0yKw9C3DARSBw%3D%3D
=================
After digging into the code a little, I've found if I do the following:
GetLogoutResponseState = (req) => { return null; }
...in my Saml2AuthenticationOptions.Notifications, it works as expected.
From here, I still suspect I'm configuring something wrong, or the IDP is sending the wrong data, but I don't know where StoredRequestState is being initialized. It appears that it contains the wrong returnUrl.
Looking at the logs, I think that this is the sequence of events.
SignOut on your application is hit and redirects to the logout endpoint in the Saml2 library.
The logout endpoint is hit and initiates a logout request to the Idp.
The Idp renders a page (that probably contains some kind of SAML response - but might be incorrect).
The logout endpoint is hit again and this is wrong
Either this is a duplicate request.
Or it is a response that doesn't get properly detected by the Sustainsys.Saml2 library
What makes me really confused is that in the second run all the requirements for a federated logout are fulfilled. Specifically it does find the LogoutNameIdentifier. That shouldn't be possible, as the local session cookie is normally cleared when the redirect to the Idp is done.
To understand further what is happening I recommend that you download the Sustainsy.Saml2 source, link directly to the project and set a breakpoint at LogoutCommand.Run. That should help you understand better and be able to further examine the requests.
I tracked my problem down to the LogoutCommand.Run being called twice during the initial GET request to /saml2/logout. Once from the Saml2AuthenticationHandler .ApplyResponseGrantAsync method, and once from the Saml2AuthenticationHandler.InvokeAsync.
The solution was to set Compatibility = new Compatibility { StrictOwinAuthenticationMode = true } in my SPOptions. Which prevents the LogoutCommand from executing within the ApplyResponseGrantAsync method.
I'm a little unclear on the Passive vs Active authentication modes, but my guess is that I'm indicating to the Sustainsys package that I'm controlling the authentication (including signing out) manually. Maybe Anders can clear that up?
In our SSO scenario, we are using ADFS 2.0 as IDP and Shibboleth as SP. It is an SP-initiated sign-on. After configuring, when I try to establish communication between Shibboleth and ADFS 2.0(throw browser redirect), ADFS 2.0 is throwing the below error.
The verification of the SAML message signature failed.
Message issuer: http://sampleserver/adfs/services/trust
Exception details:
MSIS1015: Server required signed SAML AuthenticationRequest but no signature present.
Event id - 320
Related Event id - 364
> Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolSignatureVerificationException:
> MSIS1015: Server required signed SAML AuthenticationRequest but no
> signature present. at
> Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ValidateSignatureRequirements(SamlMessage
> samlMessage) at
> Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest
> issueRequest) at
> Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message
> requestMessage)
We haven't used any signature yet. I also have made SignedSamlRequest to false in ADFS properties. Signing of SAML at Shibboleth was also disabled.
I could not find any information in Microsoft site - apart from generic guide for this sort of errors.
Please advice on this error.
I was able to find the solution after a lot analysis. This is a Shibboleth configuration issue. In the application defaults section, the entity ID should be unique to the application.
ApplicationDefaults signing="false" entityID="http://URL of the protected Application "
REMOTE_USER="eppn persistent-id targeted-id"
Another variation of this error happens when sigining is set to true. It will result in Signature mismatch error in ADFS.
After I invoke single-log-out (SLO), by calling 'GET' on https://[PingFederate Server Instance]:[Port]/sp/startSLO.ping, my PingFederate server begins making requests to my SP logout services. [I know this because I can see it happening in Fiddler.]
But when one my SPs invokes “https://<PingFederate DNS>:XXXX” + request.getParameter(“resume”); (per #Scott T.'s answer here), I get an error message:
Error - Single Logout Nonsuccess Response status:
urn:oasis:names:tc:SAML:2.0:status:Requester Status Message: Invalid
signature Your Single Logout request did not complete successfully. To
logout out of your Identity Provider and each Service Provider, close
all your browser windows. Partner: XXXX:IDP Target Resource:
http://<domain>/<default SLO endpoint>
My Questions:
What is this error message referring to?
How can I resolve this error condition?
This error is likely due to a mismatch in configuration between IdP and SP. The signing keys/certificate for SAML messages used at one end, must match the verification certificate at the other end. Check your Credentials configuration on your connection for both IdP and SP. See this section in the PingFederate Administration Guide for some details.