Application (SP) initiated login via Keycloak with external SAML IDP (Oracle OIM)

723 views
Skip to first unread message

Kamal Aggarwal

unread,
Aug 30, 2022, 1:12:32 PM8/30/22
to Keycloak User
Hello All,

Guys I need help in configuring SP initiated login flow with keycloak.
Flow would be like below:
SP added as OIDC client on Keycloak --> Keycloak redirects to external IDP --> SAML IDP OIM

I have simply added Oracle OIM as identity provider on keycloak and provided the SP metadata from Identity provider page which is imported on Oracle OIM.

Now when i try login from my application, it open keycloak login page where i see Oracle OIM tab. I click on Oracle OIM tab which redirects to Oracle OIM login page. User enters the credentials and clicks Ok. It redirects to keycloak but I get 'Invalid request' message :(

Does anyone have any idea on what could be going wrong here?

Thanks.

Camilo King

unread,
Aug 30, 2022, 1:59:26 PM8/30/22
to Keycloak User
Have you checked the keycloak logs?

Camilo King

unread,
Aug 30, 2022, 2:12:19 PM8/30/22
to Keycloak User
Ah - so is it keycloak displaying that error message, or your external SAML IDP?  If keycloak, I'd expect there to be some ERROR or possibly WARN logs.  My guess would be possibly a missing claim?

Kamal Aggarwal

unread,
Aug 31, 2022, 2:19:14 AM8/31/22
to Camilo King, Keycloak User
keycloak is displaying the error message.
Is there a way to check if something is missing in the request? Do i need some tracer to trace the request?

--
You received this message because you are subscribed to a topic in the Google Groups "Keycloak User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/keycloak-user/AudzuYcQeI0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/dbc26357-3deb-4af2-a867-73fa8f8a5e3cn%40googlegroups.com.
Error_InvalidRequest.jpg

SadaShiv Dash

unread,
Aug 31, 2022, 5:27:07 AM8/31/22
to Kamal Aggarwal, Camilo King, Keycloak User
Hello Kamal,
Attach the server logs from keycloak.

Best Regards
Sada Shiv Dash


You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/CAL5SPuL0fYjmXq0d5GUmJOiMFUBjU1T1HPZXymcJWQc%2BACJWrg%40mail.gmail.com.

Kamal Aggarwal

unread,
Sep 1, 2022, 2:35:09 AM9/1/22
to SadaShiv Dash, Camilo King, Keycloak User
I can see below WARN message on Keycloak.

2022-09-01 06:01:27,676 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-13987) invalidRequestMessage

2022-09-01 06:01:27,677 WARN  [org.keycloak.events] (default task-13987) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=devtest-ns, clientId=null, userId=null, ipAddress=10.79.114.164, error=invalidRequestMessage

Attaching configuration screenshot.

I'm not able to attach the full logs as the filesize is bigger than 8 MB.



On Thu, Sep 1, 2022 at 11:50 AM Kamal Aggarwal <kamal...@gmail.com> wrote:
Hi SadaShiv,

Here are the attached logs.
I can see below WARN message on Keycloak.

2022-09-01 06:01:27,676 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-13987) invalidRequestMessage

2022-09-01 06:01:27,677 WARN  [org.keycloak.events] (default task-13987) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=devtest-ns, clientId=null, userId=null, ipAddress=10.79.114.164, error=invalidRequestMessage


Thanks.

IDP_Metadata.xml
OIDC_Client_on_Keycloak.png
SP - Metadata.xml
IDP_Config_2.png
IDP_Config_1.png
Reply all
Reply to author
Forward
0 new messages