Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 9.0.2
    • Fix Version/s: None
    • Component/s: Protocol - SAML
    • Labels:
      None
    • Release Notes Text:
      It was a mistake on my side.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Hello everyone, I’m using keycloak as a SAML Service provider and Layer7 SiteMinder as a SAML Identity provider.

      The classic SP Initiated SAML Flow is working without any issue but I have a use case when I need to use an IDP initiated flow.

      When Is use this flow keycloak gice me the following error:

      We are sorry…
      Login timeout. Please log in again.
      

      on the server log I go the following errors messages:

      2020-05-08 10:08:07,426 INFO  [org.keycloak.saml.validators.ConditionsValidator] (default task-1) Assertion _e5d8deee188bdbe6e443259de73340780119 is not addressed to this SP.
      2020-05-08 10:08:07,428 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-1) Assertion expired.
      

      So for my point of view, because on the IDP initiated flow, the IDP don’t consume the SAML Authentication Request from keycloak. The IDP generate a SAML Response without the InResponseTo=“ID_** value containing the ID of the transaction Keycloak sent into the initial SAML Authentication Request and Keycloak reject the SAML Response.

      Is it a normal behavior? This flow is working on RHSSO 7.3 (keycloak 4.8.18).

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                tubezleb Denis Rosenkranz
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: