KeyCloak-SAML integration with third party IDP
1,082 views
Skip to first unread message
Atul Arnav Sharma
Apr 27, 2023, 1:41:30 AM4/27/23
to Keycloak User
I'm using keycloak 16.0 and I've configured client in keycloak and IDP for SAML 2.0.
Whenever I try to the test this, the authRequest completes successfully but the final SAMLResponce sent by IDP is invalid at keycloak server.
Error sowing at keycloak server:
18:09:53,805 WARN [org.keycloak.events] (default task-15) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=keycloak-test-realm, clientId=null, userId=null, ipAddress=127.0.0.1, error=inv
alid_saml_response, reason=invalid_destination
alid_saml_response, reason=invalid_destination
I've tried a lot according to my knowledge but didn't get the solution yet. Is there a way to get the valid_saml_destination for SAML_Responce and it also might possible that I'm missing something.
Tobias Häfner
Apr 28, 2023, 4:00:26 AM4/28/23
to Keycloak User
Hello Atul,
the message says that the IDP sends a SAML Response with a Destination which doesn't match to you configuerd Keycloak Endpoint.
Please use a SAML Browser Tool like
to check the SAML-Response in the browser. It should look like this:
Check the field Destination against your Endpoint configuration in Keycloak:
If it doesn't match send the IDP the SAML-Meta-Data again.
The relevant line in the Meta-Data is:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<host>/auth/realms/xyz/broker/saml/endpoint" isDefault="true" index="1"/>
Hope this helps.
Best regards
Tobias
Atul Arnav Sharma
May 2, 2023, 3:48:43 AM5/2/23
to Keycloak User
Thank You @Tobias Häfner
I've configured as you said and it seems like that error has been resolved but now I'm facing new error that is "Login timeout. Please sign in again."
Error in keycloak Console
============================================
13:11:08,460 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-15) Assertion expired.
13:11:08,462 WARN [org.keycloak.events] (default task-15) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=keycloak-test-realm, clientId=null, userId=null, ipAddress=127.0.0.1, error=inv
lid_saml_response, authSessionParentId=a8c4ba11-104e-4e6e-bce5-4da433a2145e, authSessionTabId=58DkusKDb-w
13:11:08,462 WARN [org.keycloak.events] (default task-15) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=keycloak-test-realm, clientId=null, userId=null, ipAddress=127.0.0.1, error=inv
lid_saml_response, authSessionParentId=a8c4ba11-104e-4e6e-bce5-4da433a2145e, authSessionTabId=58DkusKDb-w
============================================
It there anything i sould have to take care??
Tobias Häfner
May 2, 2023, 8:59:01 AM5/2/23
to Keycloak User
Hello Atul,
please check if your OS-system-time is correct. Please check also the time OS-time of the IDP.
Best regards
Tobias
Atul Arnav Sharma
May 8, 2023, 1:02:47 AM5/8/23
to Keycloak User
Hi Tobias,
As suggested by you, we made the required changes and it has worked. I can't thank you enough for the help that you have extended for us.
I hope we stay connected and will be able to help each other out in future as well.
I hope we stay connected and will be able to help each other out in future as well.
Reply all
Reply to author
Forward
0 new messages