I try to configure Keycloak 8.0.1 to work with a Qlik Server using SAML (SP initated).
Redirect from Qlik to Keycloak works. Also the login to Keycloak.
The Keycloak server sends the following SAML response back to the Qlik server:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://appservermaster:443/keycloak/samlauthn/" ID="ID...73b" InResponseTo="_...6" IssueInstant="2020-01-23T16:02:02.923Z" Version="2.0">
<saml:Issuer>https://localhost:8443/auth/realms/qlik</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_...ff" IssueInstant="2020-01-23T16:02:02.923Z" Version="2.0">
<saml:Issuer>https://localhost:8443/auth/realms/qlik</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#ID_c8a7a38b-f805-4fb0-a154-dd8810de52ff">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>esh...QE=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>n+...Gg==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>yu...us</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>MI...PYI</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>pIY...xvw==</dsig:Modulus>
<dsig:Exponent>A...</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">qlikuser</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_3330...c6" NotOnOrAfter="2020-01-23T16:07:00.923Z" Recipient="https://appservermaster:443/keycloak/samlauthn/"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-01-23T16:02:00.923Z" NotOnOrAfter="2020-01-23T16:03:00.923Z">
<saml:AudienceRestriction>
<saml:Audience>qliklogin</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">qlikuser</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">qlikuser</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
The Qlik server responds with a 400 status code.
According to the Qlik Support team this seems to be the problem:
The SAML Response from Keycloak should have some additional xml tags…
How can I add the “needed” tags to the Keycloak SAML Response?
Thanks,
remsy