saml invalid signature between 2 keycloak instances
446 views
Skip to first unread message
Filou Tage
Oct 4, 2022, 8:22:03 AM10/4/22
to Keycloak User
Hello,
I'm trying to configure a SAML entity provider within keycloak but I stumble on an error that doesn't make much sense to me
The setup is the following: I have a Keycloak (let's call it KC1) in front of my app to handle AuthN. In this KC1 I've setup a SAML identity provider which happens to also be a keycloak on another server (let's call it KC2).
So when I try to access my app, it redirects me to the KC login screen. I can then choose to connect using my SAML client, but it gives me a "Invalid Requester" and the following warning in the logs:
2022-10-03 12:37:50,065 ERROR [org.keycloak.protocol.saml.SamlService] (default task-5) request validation failed: org.keycloak.common.VerificationException: Invalid signature on document
at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:99)
at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:84)
at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:99)
at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:84)
2022-10-03 12:37:50,081 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=KC2-realm, clientId=null, userId=null, ipAddress=10.116.250.11, error=invalid_signature
Configuration on KC1 is:
Service provider entity ID: <KC2-client-id>
Identity provider ID: http://x.x.x.x/realm/KC2-realm
NameID policy format: persistent
Principal type: Subject NameID
Allow Create: on
HTTP post binding (all of them): ON
Want AuthnResponse signed: ON
Signature algorithm: RSA_SHA256
SAML signature key name: KEY_ID
Want assertion signed / encrypted: OFF
Force auth: OFF
Validate signatures: ON
X509 certificates: <KC2-certificate-from-saml-descriptor>
Configuration on KC2 is:
client ID: <KC2-client-id>
NameID policy format: persistent
force name ID format: OFF
force POST binding: ON
force artifact binding: OFF
Include AuthnStatement: ON
Include oneTimeUse condition: OFF
Sign documents: ON
Sign assertions: OFF
I'm not sure to understand what's wrong/missing. I've seen on the internet that sometimes this is due to a mismatch in configs, but to me everything seems to be mirrored correctly between the 2 instances (especially the signature/certificate part).
Any help would be appreciated!
Thanks,
Filou
Reply all
Reply to author
Forward
0 new messages