Getting an invalid login on original SAML POST assertion with SAML signing and encryption enabled

[Rian Stockbower]

We're connecting our Keycloak instance to a third party’s IdP. Which IdP they use, we're not sure. We have both SAML signing and encryption enabled. When we receive the SAML assertion, Keycloak throws an invalid login error.

This is weird, because we've done this with one of their other environments, and gotten it working successfully.

Keycloak is running in Docker containers in AWS ECS Fargate, and while we don't have a fully observability setup configured, we DO have AWS X-Ray set up. All we see is the initial assertion POST to our endpoint (with a signature and encrypted assertion but we are unable to decrypt payload. We do not want to use online SAML tools to try and reveal payload, for obvious reasons.

We are going to open up trace logging for org.keycloak.saml to see if the payload is revealed as debug logging sheds no light.

Again, we have been able to successfully implement it with a different IdP from the same 3rd party, so it's likely not a KC/cloud config problem. The underlying certs are all fresh, and not expired.

Our current working hypotheses are that there's an encryption config mismatch, or perhaps Keycloak itself is not configured correctly, but that doesn't narrow it down much, and our confidence in this hypothesis is middling at best.

Does anyone have suggestions on where we should pop the hood and look? Or troubleshooting KC in general when these situations occur, specifically with SAML? We maybe should also look to make sure the servers' times are being sync'd consistently across all of their environments as well.

Thanks,

-Rian