Customise SamlService - external IDP - Destination field is missing

jrel · November 4, 2021, 4:14pm

Hey,

I am struggling with the integration of an external SAML IDP in keycloak.

The saml2p:Response does not contain the Destionation field which leads to this error:

13:14:29,382 WARN [org.keycloak.events] (default task-119) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=GK, clientId=null, userId=null, ipAddress=x, error=invalid_logout_response, reason=missing_required_destination

Checking the Source Code leads to:

github.com

keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/saml/SamlService.java

/*
 * Copyright 2016 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.keycloak.protocol.saml;

import org.apache.http.client.methods.CloseableHttpResponse;

This file has been truncated. show original

We have no control over the external IDP.

Is there a way to prevent the required customising?

Thanks

jrel · November 5, 2021, 3:30pm

As an alternative: how is it possible to create a custom identity provider module based on the existing SAML one?

xgp · November 5, 2021, 4:29pm

You can implement your own IdentityProvider and IdentityProviderFactory. In your case, you can just extend (or copy) the org.keycloak.broker.saml.SAMLIdentityProvider.

It’s not SAML, but I’ve got a roughly equivalent project for a social identity provider. It might help you get set up with the project and package structure: GitHub - xgp/keycloak-moneybird-idp: Moneybird IdP extension for Keycloak

jrel · November 8, 2021, 1:57pm

Hey,

your link helped but I still struggle with the SAML part.
Is it required to mark them as SocialIdentityProvider?
Tried that:

The issue is, that my custom SAML IDP broker will not be displayed in the UI.

xgp · November 8, 2021, 2:57pm

In your case, you’ll want to implement IdentityProviderFactory and put that in your services folder (or use the AutoService annotation, as I did in the example above, which does it for you).

Also, if you’re just making a few changes to the SAMLIdentityProviderFactory, why not just extend that class and override the methods you need to?

jrel · November 8, 2021, 3:42pm

If you have a better idea, I am completely open and very thankful for your input:

The IDP is not providing a destination attribute in the sampResponse. Therefore I need to add it / disable the validation. We can not change the IDP in any way.

The current approach is just copying the default SAML broker and add it customised. The issue I have right now is, that the module can not get some core classes:

Anything I need to add besides the pom dependencies?

xgp · November 8, 2021, 3:45pm

Thy Dependencies section in the jar manifest will need to have the modules you’re depending on also. You can change those in the jar plugin keycloak-moneybird-idp/pom.xml at main · xgp/keycloak-moneybird-idp · GitHub

You’ll probably need to add org.keycloak.keycloak-saml-core,org.keycloak.keycloak-saml-core-public and maybe some others.

jrel · November 8, 2021, 5:03pm

that did the trick! thank you!

Only thing is that the config page is not there yet. Need to check where i lost it:

jrel · November 12, 2021, 12:35pm

Hey,

maybe you can have another look.
Tested my “custom” SAML Broker Plugin locally in a comparable setup and it worked just as the default plugin.

Logfile:

11:24:58,926 INFO [saml.PGKSAMLIdentityProvider] (default task-2) authnRequest: ID_b6f63ad8-511d-4653-ac84-42d7418e59d5 OIDC-Liferay
11:24:59,014 WARN [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-2) The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms.
11:24:59,034 WARN [org.keycloak.saml.common] (default task-2) XML External Entity switches are not supported. You may get XML injection vulnerabilities.
11:25:18,178 WARN [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-1) The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms.
11:25:18,180 WARN [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-1) The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms.
11:25:18,181 INFO [saml.PGKSAMLEndpoint] (default task-1) clientId: OIDC-Liferay, tabId: cg-8Rc-c024, code: vpC2Qd_fe0zN49GPZLV5pl6tNpe_H0dDsvfu0bdTmCA
11:25:18,206 WARN [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=GK, clientId=null, userId=null, ipAddress=194.158.158.201, error=invalid_code
11:34:17,692 INFO [saml.PGKSAMLIdentityProvider] (default task-2) authnRequest: ID_5d41c6df-0f0c-45a5-851a-1bd731b0bd95 OIDC-Liferay
11:34:17,694 WARN [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-2) The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms.
11:35:25,968 WARN [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-1) The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms.
11:35:25,969 WARN [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-1) The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms.
11:35:25,969 INFO [saml.PGKSAMLEndpoint] (default task-1) clientId: OIDC-Liferay, tabId: wZq0Bu_uwCw, code: ZXv383hqmkeifpyvLTtNw-sbdCMADY8zqyO_ZYuMV9I
11:35:25,972 WARN [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=GK, clientId=null, userId=null, ipAddress=194.158.158.201, error=invalid_code

The problem:

IdentityBrokerService → parseSessionCode → checks (line 1047) →

results in an invalid auth session.

The relay state looks fine:

client_id: OIDC-Liferay
tab_id: wZq0Bu_uwCw
session_code: 672K1W7o7YCbQpJGT9o3tdHrKm2k63o96WIyTGzfS0w

relay: ZXv383hqmkeifpyvLTtNw-sbdCMADY8zqyO_ZYuMV9I.wZq0Bu_uwCw.OIDC-Liferay

response

ZXv383hqmkeifpyvLTtNw-sbdCMADY8zqyO_ZYuMV9I.wZq0Bu_uwCw.OIDC-Liferay

any idea?

xgp · November 12, 2021, 2:45pm

Without seeing the code you have modified, it would be difficult to help debug. Is this available in a repo somewhere?

jrel · November 15, 2021, 8:19am

no not really available.
I spent some time to setup a local test environment with one app, one IDP, one SP and used my custom broker. In this scenario everything worked.
I found out that the IDP is using an unsecure connection to keycloak, which caused Chrome to prevent creating the sessionAuthCookie.
Heavy debugging it was
Thanks!

Topic		Replies	Views
Importing client from SAML 2.0 Service Provider Metadata XML fails (Keycloak 22) Configuring the server admin-console , identity-brokering , saml	0	270	January 30, 2024
Identity broker and SAML artifacts Configuring the server identity-brokering , saml	6	1536	October 8, 2022
SAML Identity Broker - invalid_saml_response invalid_destination	0	504	October 2, 2020
Saml identity provider error handling Getting advice identity-brokering , saml	0	581	November 2, 2022
Keycloak as SP for SAML IDP Configuring the server saml	12	17268	November 14, 2021

Customise SamlService - external IDP - Destination field is missing

response

Related Topics