Keycloak Saml Authentication issue

265 views
Skip to first unread message

mohammed asif

unread,
Jul 19, 2024, 9:58:00 AMJul 19
to cBioPortal for Cancer Genomics Discussion Group
Hi cBioPortal community,

I am currently setting up cBioPortal with Keycloak for SAML-based single sign-on (SSO) and have encountered a significant issue. I'm trying to configure Keycloak for my dockered version of the instance and I'm constantly getting an error while performing the same.

My cbioportal is running on 8080 and keycloak is running on 9080

Here are the steps I've followed:

  1. Set up Keycloak with SAML client and exported the metadata.
  2. Generated and imported the signing key for cBioPortal into Keycloak.
  3. Configured the application.properties with SAML settings as per the documentation.

Despite these steps, the error persists. I suspect it might be related to missing configurations or dependencies in the Dockerized environment of cBioPortal.

The error message which I see from the container logs are as follows:
cbioportal-container  | Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled.
cbioportal-container  | 2024-07-19T13:08:22.058Z ERROR 131 --- [           main] o.s.b.d.LoggingFailureAnalysisReporter   :
cbioportal-container  |
cbioportal-container  | ***************************
cbioportal-container  | APPLICATION FAILED TO START
cbioportal-container  | ***************************
cbioportal-container  |
cbioportal-container  | Description:
cbioportal-container  |
cbioportal-container  | Parameter 1 of method samlFilterChain in org.cbioportal.security.config.Saml2SecurityConfig required a bean of type 'org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository' that could not be found.
cbioportal-container  |
cbioportal-container  |
cbioportal-container  | Action:
cbioportal-container  |
cbioportal-container  | Consider defining a bean of type 'org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository' in your configuration.

Screenshot attached for more reference.

My application properties for saml authentication is as follows:

# authentication
filter_groups_by_appname=false
saml.sp.metadata.entityid=cbioportal
saml.sp.metadata.wantassertionsigned=true
saml.idp.metadata.location=classpath:/client-tailored-saml-idp-metadata.xml
saml.idp.metadata.entityid=http://localhost:9080/realms/cbioportal
saml.keystore.location=classpath:/samlKeystore.jks
saml.keystore.password=*****
saml.keystore.private-key.key=secure-key
saml.keystore.private-key.password=****
saml.keystore.default-key=secure-key
saml.idp.comm.binding.settings=defaultBinding

saml.idp.comm.binding.type=
saml.idp.metadata.attribute.email=email
saml.idp.metadata.attribute.userName=username
saml.idp.metadata.attribute.role=Role
saml.custom.userservice.class=org.cbioportal.security.spring.authentication.keycloak.SAMLUserDetailsServiceImpl
# global logout (as opposed to local logout):
saml.logout.local=false
saml.logout.url=/


Docker compose.yml

version: '3'

services:
  cbioportal:
    restart: unless-stopped
    image: ${DOCKER_IMAGE_CBIOPORTAL}
    container_name: cbioportal-container
    environment:
      SHOW_DEBUG_INFO: "true"
      PORTAL_HOME: "/cbioportal-webapp"
    ports:
      - "8080:8080"
    volumes:
     - ./study:/study/
     - ./config/application.properties:/cbioportal-webapp/application.properties:ro
     - ./config/logo/unilogo1.png:/cbioportal-webapp/webapp/images/unilogo1.png:ro
     - ./kcdb-files/client-tailored-saml-idp-metadata.xml:/cbioportal-webapp/WEB-INF/classes/client-tailored-saml-idp-metadata.xml:ro
     - ./kcdb-files/samlKeystore.jks:/cbioportal-webapp/WEB-INF/classes/samlKeystore.jks:ro
    depends_on:
     - cbioportal-database
     - cbioportal-session
    networks:
     - cbio-net
    # TODO: servlet-api should be excluded from deps in mvn, the removal below is just a quick fix
    # This might be helpful: https://stackoverflow.com/questions/36233626
    command: /bin/sh -c "rm -rf /cbioportal-webapp/lib/servlet-api-2.5.jar && java -Xms2g -Xmx4g -cp '/cbioportal-webapp:/cbioportal-webapp/lib/*' org.cbioportal.PortalApplication --spring.config.location=cbioportal-webapp/application.properties --authenticate=saml --session.service.url=http://cbioportal-session:5000/api/sessions/my_portal/"

Please let me know if you know if you have any solutions for it. Thank you, Appreciate your help.

Best regards,
Mohammed Asif Raza

Screenshot 2024-07-19 143335.png

Tim Kuijpers

unread,
Jul 19, 2024, 11:21:16 AMJul 19
to cBioPortal for Cancer Genomics Discussion Group
Hi Mohammed,

Thank you for reaching out. The error indicates that the RelyiongPartyRegistrationRepository is causing the issue and you have to adjust your configuration. It looks like you are using the properties used in cBioPortal version 5. Can you try and convert them to this:

        "spring.security.saml2.relyingparty.registration.keycloak.entity-id=cbioportal",
        "spring.security.saml2.relyingparty.registration.keycloak.signing.credentials[0].certificate-location=classpath:security/signing-cert.pem",
        "spring.security.saml2.relyingparty.registration.keycloak.signing.credentials[0].private-key-location=classpath:security/signing-key.pem",
        "saml.idp.metadata.attribute.email=email",
        "saml.idp.metadata.attribute.role=Role",

I copied this example from the test scenario in the back-end code which works with Keycloak and cBioPortal version 6.

Hope this helps, feel free to reply all with further questions so the community is also able to follow our conversation.

Best,
Tim

Pieter Lukasse

unread,
Jul 22, 2024, 6:58:17 AMJul 22
to cBioPortal for Cancer Genomics Discussion Group
Hi Tim,

thanks for picking this up. Just wanted to clarify if this a bug in the documentation and whether a new ticket should be opened for that? It does seem like that.

Best,

Pieter

mohammed asif

unread,
Jul 22, 2024, 7:27:27 AMJul 22
to cBioPortal for Cancer Genomics Discussion Group
Hi Tim and Pieter,

Thank you for the previous guidance. I’ve made some progress but am still encountering issues with the SAML configuration between cBioPortal and Keycloak.

Current Status:

Below are my application.properties settings :
#spring.security.saml2.relyingparty.registration.cbio-saml-idp.assertingparty.metadata-uri=classpath:/client-tailored-saml-idp-metadata.xml
#spring.security.saml2.relyingparty.registration.cbio-saml-idp.entity-id=cbioportal
#spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].certificate-location=classpath:/local.crt
#spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].private-key-location=classpath:/local.key
#saml.idp.metadata.attribute.email=email
#saml.idp.metadata.attribute.role=Role

Please let me know if I'm missing out on adding any configuration on appplication properties.

From the error I see, the link being redirected to is invalid: http://localhost:9080/realms/cbioportal/protocol/saml

Screenshot 2024-07-22 122651.png

However, the metadata file also has the same link for SSO:

<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>QcdonjKsg6pZv7lliORMz4BELPVM4E0Rw0jY8Q6FHME</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>
 certificate removed here for privacy==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:9080/realms/cbioportal/protocol/saml/resolve" index="0"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:9080/realms/cbioportal/protocol/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

Screenshots :
Screenshot 2024-07-22 121936.png

Realm settings:

Screenshot 2024-07-22 122118.png

Screenshot 2024-07-22 122340.png
Screenshot 2024-07-22 122420.png

Screenshot 2024-07-22 122521.png


Tim Kuijpers

unread,
Jul 23, 2024, 6:23:43 AMJul 23
to cBioPortal for Cancer Genomics Discussion Group
Dear Mohammed,

I have reviewed your Keycloak configuration and it looks fine to me. I think that the invalid request might be related to your setup (and unrelated to cBioPortal). I would advise you to take a closer look at the Keycloak logs since they might provide you with more information on the invalid request. You can set the log level to TRACE  to get more detailed information (while debugging). You can also use an extension like SAML tracer to redirect from cBioPortal to Keycloak and inspect the request element.

Best,
Tim

Tim Kuijpers

Data Engineer

    

Pieter Lukasse

unread,
Jul 23, 2024, 11:37:42 AMJul 23
to cBioPortal for Cancer Genomics Discussion Group
Hi Mohammed,

thanks for sharing the details. In such cases it is also useful to check the logs in the backend (both Keycloak and cBioportal backend logs) to see if there are useful error messages.

One thing I noticed in your setup, which might be an issue: you have everything running on HTTP instead of HTTPS. I believe the default expectation in Keycloak and Spring security is HTTPS. So you may have to tweak a few respective settings to allow for HTTP in this case. Having said that, HTTP is not recommended at all, unless it is just a dev environment on your laptop. Even then, I would recommend considering using self-signed certificates to get your local environment better aligned to a real deployment.

Best,

Pieter

mohammed asif

unread,
Jul 26, 2024, 11:18:20 AMJul 26
to cBioPortal for Cancer Genomics Discussion Group
Hi Tim and Pieter,

Thank you so much for your advice.
I will work on the suggestions and get back to you with an update soon.

Thanks,
Mohammed Asif Raza
Reply all
Reply to author
Forward
0 new messages