Cloudflare SAML error: invalid signature

I’m trying to get Keycloak (SAML) to work with Cloudflare Access. So far, I’m getting an invalid requester error in the browser. In the Keycloak logs, it says:

17:15:57,065 WARN  [org.keycloak.events] (executor-thread-55) type=LOGIN_ERROR, realmId=ccf2b5ff-1f93-424e-a2a6-3c80b1cf3639, clientId=null, userId=null, ipAddress=24.125.46.9, error=invalid_signature

Here is my Keycloak setup:

Master SAML Processing URL: https://<keycloak-domain>/auth/realms/CF-realm/protocol/saml
Sign documents Off
Sign assertions: On 
Signing keys config: On
Imported PEM key from: <cloudflare-team-name>.cloudflareaccess.com/cdn-cgi/access/public-cert
Certificate: MIID...
Encrypt assertions: off

On the Cloudflare side:

Single sign on URL: https://<keycloak-domain>/realms/CF-realm/protocol/saml
IdP Entity ID or Issuer URL: https://<keycloak-domain>/realms/CF-realm
X509 Signing Certificate: MIID...(same as certificate on the keycloak side above)
Sign SAML authentication request: Off
Email attribute name: email
SAML attributes: email

I’m guessing my signing options are off.

Any idea what could be causing this?

Some of the steps that you can check:

  • Create IDP in Keycloak with SAML protocol providing Service Provider (SP) metadata
  • Once is created under IDP you will have metadata to setup client in Service provider.

Probably you are missing second step, create SAML client in SP.