400 Bad Request error from keycloak after AD authentication

I am trying to use Keycloak as an identity broker with Azure AD using SAML. I’m not entirely sure if all my configurations are correct, but my user is getting authenticated by the identity provider (which is a developer microsoft account). But when it is redirected back to Keycloak, in UI it shows ‘Login timeout. Please sign in again’ and in dev tools network tab I can see the call ‘https://{keycloak-url}/auth/realms/{my-realm}/broker/{idp-name}/endpoint’ giving 400 Bad Request Status. I can see SAMLResponse and RelayState in the payload. I’m not sure if it’s expecting any other data in the payload or whether the SAMLResponse content is incorrect. Also the error message shown in the UI is also confusing.

Why do you use old-fashioned SAML protocol?
It’s so easy with OIDC:

My guess (it is only guess because Keycloak server logs weren’t provided):

1 Like

Because that was the requirement. :sweat_smile: OIDC was implemented earlier, now they want it in SAML.
And I had watched your video too, which helped me in confirming the steps I had done for Azure AD app registration.

I do see assertion expired message in the logs. But not the exact error I think.
Below are the logs I get.
23:00:18,964 WARN [org.keycloak.saml.common] (default task-3) XML External Entity switches are not supported. You may get XML injection vulnerabilities.
23:02:13,988 INFO [org.keycloak.saml.validators.ConditionsValidator] (default task-3) Assertion _1443bed0-d2a8-475e-8ba6-61dc2a67d801 is not addressed to this SP.
23:02:13,988 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-3) Assertion expired.
23:02:14,076 WARN [org.keycloak.events] (default task-3) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_saml_response, authSessionParentId=da6b4608-69fd-4f77-9411-9cf6c99fd204, authSessionTabId=jM2JDWuc-Dg

SAMLResponse:
<samlp:Response ID="_0ac944a7-5ee3-431f-9387-319e5c1dcc1f" Version=“2.0” IssueInstant=“2022-01-07T17:43:12.299Z” Destination=“httplocalhost:8080/auth/realms/demo/broker/azuread/endpoint” InResponseTo=“ID_dc4b5a19-3c81-44a4-8510-10218a1bb2d8” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”>https:sts.windows.net/84b12868-6728-441b-885b-169e86ff2143/<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success”/></samlp:Status>https:sts.windows.net/84b12868-6728-441b-885b-169e86ff2143/NBg2uD/cPUDLvz+hon2rzZdkNF4n+bP4JJV8EKEJp0Q=s900jhA0dxTCLzHNDAFInj52tf1ylXIYoR5cBfE8HzoZnPjE2aGXR4irbsrAzg54R0JPD3Ev3i3nf7wggHjHZXPnFWclHzhURSoWe2HE6ZFPKQG6Tt0tfTadvOg5ozH/OGKSF5A4OXkzbm7ElgKZKgKJWTBBgmt76FSNWZEZNPBtGiB/Yo33RdcHIE1aETwZs4nd2GngVrCjXQRZk4JVc8eG9dj6YHdmo2kZZci96s36rIxHNDTZexIiKanFiMgXgKJt7k8Me+tlxquDzSAwkQ/KY73SGxvWf4bWaSjhp8gYo7zUh7qsSERbSb7vVEzTbsFKP/+haPpsr/5wHp7LEQ==MIIDBTCCAe2gAwIBAgIQff8yrFO3CINPHUTT76tUsTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIxMTAyNDE3NDU1NloXDTI2MTAyNDE3NDU1NlowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMq979bhE6xX09e87zostNcPJzvtbeu3JomS2catiEg3bXvXcPiMQke5T1dsHs3MyEYHFpmIBZ7JNo+ptdB+LSs3KmTNCSfzYoGNvaRYpsZS+/6lzAdT6KxSXZQCr6eUoI0k8C6145K9QKlsG6cxtsmVDTdxhPBr5k3qOMsHkGzQnfsjv2aaM8dCd+MBwRDLmsPmXwlJO5nSirIPhHBOGb9F4JfcD9jKSj8dFfIC2s8XulEPUoczbq7kjp3KS2CTf6EOGin+abTqda7Hw2NiCvX67ZkUyjnUPjBJknYxi//PCEHLwrO46lc+d1yqF0ZVwfLTCBjnIPiAnq+ssXtorSECAwEAAaMhMB8wHQYDVR0OBBYEFDiZG6s5d9RvorpqbVdS2/MD8ZKhMA0GCSqGSIb3DQEBCwUAA4IBAQAQAPuqqKj2AgfC9ayx+qUu0vjzKYdZ6T+3ssJDOGwB1cLMXMTUVgFwj8bsX1ahDUJdzKpWtNj7bno+Ug85IyU7k89U0Ygr55zWU5h4wnnRrCu9QKvudUPnbiXoVuHPwcK8w1fdXZQB5Qq/kKzhNGY57cG1bwj3R/aIdCp+BjgFppOKjJpK7FKS8G2v70eIiCLMapK9lLEeQOxIvzctTsXy9EZ7wtaIiYky4ZSituphToJUkakHaQ6evbn82lTg6WZz1tmSmYnPqRdAff7aiQ1Sw9HpuzlZY/piTVqvd6AfKZqyxu/FhENE0Odv/0hlHzI15jKQWL1Ljc0Nm3y1skut7FSFwmlmVjsc7clDiNTohbUUly3ldmNCXBuGnUE0Anwspn:e0dc8530-9bae-4f9c-8fdf-ce27fd07170784b12868-6728-441b-885b-169e86ff21431fe8d39d-56ac-4448-bde8-bfac6c13a865[name]AjAiswaryaAiswarya Ajhttps:sts.windows.net/84b12868-6728-441b-885b-169e86ff2143/httpschemas.microsoft/ws/2008/06/identity/authenticationmethod/passwordhttpschemas.microsoft/claims/multipleauthnurn:oasis:names:tc:SAML:2.0:ac:classes:Password</samlp:Response>

SAMLRequest:
<samlp:AuthnRequest xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol” xmlns=“urn:oasis:names:tc:SAML:2.0:assertion” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” AssertionConsumerServiceURL=“httplocalhost:8080/auth/realms/demo/broker/azuread/endpoint” Destination=“httpslogin.microsoftonline…/84b12868-6728-441b-885b-169e86ff2143/saml2” ForceAuthn=“false” ID=“ID_dc4b5a19-3c81-44a4-8510-10218a1bb2d8” IssueInstant=“2022-01-07T17:42:29.519Z” ProtocolBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Version=“2.0”>e0dc8530-9bae-4f9c-8fdf-ce27fd071707<samlp:NameIDPolicy AllowCreate=“true” Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:persistent”/></samlp:AuthnRequest>

Modified all urls as I don’t have permission to post content with more than 2 links.

Assertion expired. is missleading error in the Keycloak source code. It should be assertion validation failed. Increase Keycloak log level to debug and you will see problem with audience validation:

11:02:17,579 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-9) Allowed audiences are: [https://localhost:8443/auth/realms/demo/broker/saml/endpoint/clients/azure-ad-client, https://localhost:8443/auth/realms/demo]

Solution is already posted on the Stackoverflow. I would edit Service Provider Entity ID to correct value (Keycloak UI will be very likely complaining about : in the value, just paste proper value into form field and save it). That will modify SAML request → audience condition in the SAML response and Keycloak will accept Azure SAML response.

SAML is old-fashionated, but (unfortunately) still only one SSO protocol supported by many “enterprise” apps.

1 Like