3
votes

This question is in the area of SAML based IDP initiated SSO. As a POC, I have two keycloak instances, say keycloak1 and keycloak2. I would want to achieve the below :

  1. Authentication would be done at keycloak1

  2. keycloak1 then directs to keycloak2 to access an keycloak2 client application.

To do so,

a) create a saml client at keycloak1 under realm1. With IdP initiated SSO Name set as some name without spaces) --> say, keycloakclientsaml. In the Fine Grain SAML Endpoint Configuration section, for Assertion Consumer Service POST Binding URL --> http://<keycloak2:port>/auth/realms/realm2/broker/saml/endpoint/clients/keycloakclientsaml

( https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated-login)

b) click on above created saml client --> installation --> Export SAML Metadata IDPSSODescriptor and save as saml-metadata.xml ( say ).

c) Add a user in keycloak1, say user1/user@123

d) At the keycloak2, create a IDP ( identity providers tab). Import the above exported saml-metadata.xml and save.

e) In the browser hit, http://<keycloak1>/auth/realms/realm1/protocol/saml/clients/keycloakclientsaml Prompt for username/pwd, give credentials for user1

f) URL in the browser now changes to

http://<keycloak2:port>/auth/realms/realm2/broker/saml/endpoint/clients/keycloakclientsaml

At keycloak2 instance, I get the error as :

09:20:46,775 INFO [org.keycloak.saml.validators.ConditionsValidator] (default task-6) Assertion ID_789213dd-24f9-425f-ae20-bcadef173bc6 is not addressed to this SP. 09:20:46,775 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-6) Assertion expired. 09:20:46,775 WARN [org.keycloak.events] (default task-6) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=realm2, clientId=null, userId=null, ipAddress=keycloak2, error=invalid_saml_response

Could someone help here.

  1. Are the above given steps correct and complete.
  2. What am I missing

If any other information is required, let me know. would be happy to provide.

1

1 Answers

2
votes

Finally got it working.

So here is the answer to the above :

The error pasted above was related to Assertion expired. In my case, it was because of the clientid given in saml client of Keycloak1 was not recognized url of keycloak2. it should be pointing to the keycloak2 realm ( for example, http://<keycloak2:port>/realms/realm2 Then the condition section in the SAML response is VALIDATED at the keycloak2 broker idp. (code : SAMLEndpoint.java --> handleLoginResponse method)

Leaving this thread here and for clarity the steps are given below in detail:

a) create a saml client at keycloak1 under realm1. With IdP initiated SSO Name set as some name without spaces) --> say, sso.

b) In the Fine Grain SAML Endpoint Configuration section of the above client, for Assertion Consumer Service (ASC) POST Binding URL --> http://<keycloak2:port>/auth/realms/realm2/broker/saml/endpoint/clients/keycloak2samlclient

( https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated-login)

b) click on above created saml client --> installation --> Export SAML Metadata IDPSSODescriptor and save as saml-metadata.xml ( say ).

c) Add a user in keycloak1, say user1/user@123

d) At the keycloak2, create a IDP ( identity providers tab with name saml (refer ASC url). Import the above exported saml-metadata.xml and save.

e) At the keycloak2, create a saml client and in the IP initiated SSO url give name as keycloak2clientsaml

f) In the browser hit, http://<keycloak1>/auth/realms/realm1/protocol/saml/clients/sso Prompt for username/pwd, give credentials for user1