Error base64 decoding saml message : PL00062: Parser : Unknown tag:Assertion::location=org.codehaus.stax2.XMLStreamLocation2$1@5c22e7c2

[Sean Cook]

I've setup Keycloak as a SAML IDP to test an application. I have managed to enable IdP initiated workflows and login, but when i attempt an SP initiated workflow, it fails.

Our application does work with Okta, so I assume that it's a configuration problem with how i've setup Keycloak. 

I see the following in the keycloak docker container logs:

19:40:18,010 DEBUG [io.undertow.request] (default I/O-1) Matched prefix path /auth for path /auth/realms/PLM-NSX/protocol/saml

19:40:18,011 DEBUG [io.undertow.request.security] (default task-7) Attempting to authenticate /auth/realms/PLM-NSX/protocol/saml, authentication required: false

19:40:18,012 DEBUG [io.undertow.request.security] (default task-7) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@34d5a40a for /auth/realms/PLM-NSX/protocol/saml

19:40:18,012 DEBUG [io.undertow.request.security] (default task-7) Authentication result was ATTEMPTED for /auth/realms/PLM-NSX/protocol/saml

19:40:18,012 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-7) new JtaTransactionWrapper

19:40:18,012 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-7) was existing? false

19:40:18,014 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-7) RESTEASY002315: PathInfo: /realms/PLM-NSX/protocol/saml

19:40:18,042 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-7) SAML GET

19:40:18,043 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-7) SAML Redirect Binding

19:40:18,043 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-7) <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

               <saml2p:AuthnRequest

               xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"

               ID="app1-172.xx.xxx.xxx"

               Version="2.0"

               IssueInstant="2021-07-09T19:40:17Z"

               AssertionConsumerServiceIndex="1">

           <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"

           xmlns:xs="http://www.w3.org/2001/XMLSchema" />           <saml2:Issuer  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"

           >HTTP://172.xx.xxx.xxx:8080/console</saml2:Issuer>

           <saml2p:NameIDPolicy

           AllowCreate="false"

           Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"/>

           </saml2p:AuthnRequest>

19:40:18,044 ERROR [org.keycloak.saml.common] (default task-7) Error in base64 decoding saml message: java.lang.RuntimeException: PL00062: Parser : Unknown tag:Assertion::location=org.codehaus.stax2.XMLStreamLocation2$1@5c22e7c2

19:40:18,048 DEBUG [freemarker.cache] (default task-7) Couldn't find template in cache for "template.ftl"("en_US", UTF-8, parsed); will try to load it.

19:40:18,049 DEBUG [freemarker.cache] (default task-7) TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found

19:40:18,049 DEBUG [freemarker.cache] (default task-7) TemplateLoader.findTemplateSource("template_en.ftl"): Not found

19:40:18,049 DEBUG [freemarker.cache] (default task-7) TemplateLoader.findTemplateSource("template.ftl"): Found

19:40:18,049 DEBUG [freemarker.cache] (default task-7) Loading template for "template.ftl"("en_US", UTF-8, parsed) from "file:/opt/jboss/keycloak/themes/base/login/template.ftl"

19:40:18,102 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-7) MessageBodyWriter: org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey

19:40:18,102 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-7) MessageBodyWriter: org.jboss.resteasy.plugins.providers.StringTextStar

19:40:18,102 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-7) MessageBodyWriter: org.jboss.resteasy.plugins.providers.StringTextStar

19:40:18,102 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-7) Interceptor Context: org.jboss.resteasy.core.interception.ServerWriterInterceptorContext,  Method : proceed

19:40:18,102 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-7) WriterInterceptor: org.jboss.resteasy.security.doseta.DigitalSigningInterceptor

19:40:18,102 DEBUG [org.jboss.resteasy.security.doseta.i18n] (default task-7) Interceptor : org.jboss.resteasy.security.doseta.DigitalSigningInterceptor,  Method : aroundWriteTo

19:40:18,102 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-7) Interceptor Context: org.jboss.resteasy.core.interception.ServerWriterInterceptorContext,  Method : proceed

19:40:18,102 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-7) MessageBodyWriter: org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey

19:40:18,102 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-7) MessageBodyWriter: org.jboss.resteasy.plugins.providers.StringTextStar

19:40:18,103 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-7) JtaTransactionWrapper  commit

19:40:18,103 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-7) JtaTransactionWrapper end

19:40:18,103 WARN  [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=PLM-NSX-DGM, clientId=null, userId=null, ipAddress=10.xxx.x.xx, error=invalid_token

19:40:18,104 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-7) RESTEASY009525: onComplete

[Sean Cook]

An engineer on my team told me that the following was optional in the AuthnRequest... is there a way to setup keycloak SAML support such that it ignores optional namespace definitions or to be less "strict" ? Again, this system is working with the 3rd Party OKTA IdP but I'm struggling to get this integrated with KeyCloak.

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" />       

--
You received this message because you are subscribed to a topic in the Google Groups "Keycloak User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/keycloak-user/bjTSmpYxwzg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/783d6b47-9806-4274-85f8-9b1651aa3bf5n%40googlegroups.com.