mohammed asif
I am currently setting up cBioPortal with Keycloak for SAML-based single sign-on (SSO) and have encountered a significant issue. I'm trying to configure Keycloak for my dockered version of the instance and I'm constantly getting an error while performing the same.
My cbioportal is running on 8080 and keycloak is running on 9080
Here are the steps I've followed:
- Set up Keycloak with SAML client and exported the metadata.
- Generated and imported the signing key for cBioPortal into Keycloak.
- Configured the application.properties with SAML settings as per the documentation.
Despite these steps, the error persists. I suspect it might be related to missing configurations or dependencies in the Dockerized environment of cBioPortal.
The error message which I see from the container logs are as follows:
cbioportal-container | Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled.
cbioportal-container | 2024-07-19T13:08:22.058Z ERROR 131 --- [ main] o.s.b.d.LoggingFailureAnalysisReporter :
cbioportal-container |
cbioportal-container | ***************************
cbioportal-container | APPLICATION FAILED TO START
cbioportal-container | ***************************
cbioportal-container |
cbioportal-container | Description:
cbioportal-container |
cbioportal-container | Parameter 1 of method samlFilterChain in org.cbioportal.security.config.Saml2SecurityConfig required a bean of type 'org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository' that could not be found.
cbioportal-container |
cbioportal-container |
cbioportal-container | Action:
cbioportal-container |
cbioportal-container | Consider defining a bean of type 'org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository' in your configuration.
Screenshot attached for more reference.
My application properties for saml authentication is as follows:
# authentication
filter_groups_by_appname=false
saml.sp.metadata.entityid=cbioportal
saml.sp.metadata.wantassertionsigned=true
saml.idp.metadata.location=classpath:/client-tailored-saml-idp-metadata.xml
saml.idp.metadata.entityid=http://localhost:9080/realms/cbioportal
saml.keystore.location=classpath:/samlKeystore.jks
saml.keystore.password=*****
saml.keystore.private-key.key=secure-key
saml.keystore.private-key.password=****
saml.keystore.default-key=secure-key
saml.idp.comm.binding.settings=defaultBinding
saml.idp.comm.binding.type=
saml.idp.metadata.attribute.email=email
saml.idp.metadata.attribute.userName=username
saml.idp.metadata.attribute.role=Role
saml.custom.userservice.class=org.cbioportal.security.spring.authentication.keycloak.SAMLUserDetailsServiceImpl
# global logout (as opposed to local logout):
saml.logout.local=false
saml.logout.url=/
Docker compose.yml
version: '3'
services:
cbioportal:
restart: unless-stopped
image: ${DOCKER_IMAGE_CBIOPORTAL}
container_name: cbioportal-container
environment:
SHOW_DEBUG_INFO: "true"
PORTAL_HOME: "/cbioportal-webapp"
ports:
- "8080:8080"
volumes:
- ./study:/study/
- ./config/application.properties:/cbioportal-webapp/application.properties:ro
- ./config/logo/unilogo1.png:/cbioportal-webapp/webapp/images/unilogo1.png:ro
- ./kcdb-files/client-tailored-saml-idp-metadata.xml:/cbioportal-webapp/WEB-INF/classes/client-tailored-saml-idp-metadata.xml:ro
- ./kcdb-files/samlKeystore.jks:/cbioportal-webapp/WEB-INF/classes/samlKeystore.jks:ro
depends_on:
- cbioportal-database
- cbioportal-session
networks:
- cbio-net
# TODO: servlet-api should be excluded from deps in mvn, the removal below is just a quick fix
# This might be helpful: https://stackoverflow.com/questions/36233626
command: /bin/sh -c "rm -rf /cbioportal-webapp/lib/servlet-api-2.5.jar && java -Xms2g -Xmx4g -cp '/cbioportal-webapp:/cbioportal-webapp/lib/*' org.cbioportal.PortalApplication --spring.config.location=cbioportal-webapp/application.properties --authenticate=saml --session.service.url=http://cbioportal-session:5000/api/sessions/my_portal/"
Please let me know if you know if you have any solutions for it. Thank you, Appreciate your help.
Best regards,
Mohammed Asif Raza
Tim Kuijpers
Thank you for reaching out. The error indicates that the RelyiongPartyRegistrationRepository is causing the issue and you have to adjust your configuration. It looks like you are using the properties used in cBioPortal version 5. Can you try and convert them to this:
"spring.security.saml2.relyingparty.registration.keycloak.entity-id=cbioportal",
"spring.security.saml2.relyingparty.registration.keycloak.signing.credentials[0].certificate-location=classpath:security/signing-cert.pem",
"spring.security.saml2.relyingparty.registration.keycloak.signing.credentials[0].private-key-location=classpath:security/signing-key.pem",
"saml.idp.metadata.attribute.email=email",
"saml.idp.metadata.attribute.role=Role",
Best,
Pieter Lukasse
mohammed asif
Thank you for the previous guidance. I’ve made some progress but am still encountering issues with the SAML configuration between cBioPortal and Keycloak.
Current Status:
- When I open http://localhost:8080, my page gets redirected (which is a good news) to http://localhost:9080/realms/cbioportal/protocol/saml and shows an "Invalid Request" error.
- The link http://localhost:9080/realms/cbioportal/protocol/saml appears to be invalid.
#spring.security.saml2.relyingparty.registration.cbio-saml-idp.assertingparty.metadata-uri=classpath:/client-tailored-saml-idp-metadata.xml
#spring.security.saml2.relyingparty.registration.cbio-saml-idp.entity-id=cbioportal
#spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].certificate-location=classpath:/local.crt
#spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].private-key-location=classpath:/local.key
#saml.idp.metadata.attribute.email=email
#saml.idp.metadata.attribute.role=Role
Please let me know if I'm missing out on adding any configuration on appplication properties.
From the error I see, the link being redirected to is invalid:
http://localhost:9080/realms/cbioportal/protocol/saml
However, the metadata file also has the same link for SSO:
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>QcdonjKsg6pZv7lliORMz4BELPVM4E0Rw0jY8Q6FHME</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>
certificate removed here for privacy==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:9080/realms/cbioportal/protocol/saml/resolve" index="0"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
Realm settings:
Tim Kuijpers
I have reviewed your Keycloak configuration and it looks fine to me. I think that the invalid request might be related to your setup (and unrelated to cBioPortal). I would advise you to take a closer look at the Keycloak logs since they might provide you with more information on the invalid request. You can set the log level to TRACE to get more detailed information (while debugging). You can also use an extension like SAML tracer to redirect from cBioPortal to Keycloak and inspect the request element.
Best,
Tim
Tim Kuijpers
Data Engineer
Pieter Lukasse
mohammed asif
Thank you so much for your advice.
I will work on the suggestions and get back to you with an update soon.
Thanks,
Mohammed Asif Raza