ERROR [org.keycloak.saml.common] (default task-26) Error in base64 decoding saml message: org.keycloak.saml.common.exceptions.ProcessingException: PL00102: Processing Exception:

I was trying to setup a SAML identity provider to test my Service Provider but I kept getting the base64 decoding saml message in the sever log when the SP sent Authnrequest to the server. What I was trying to do was setting up a simple SAML IdP which doesn’t require the SP to sign the request but it should sign the response.

Below is an example of my request message.

And below is the redirect url that my app created from the authnrequet response:

http://172.28.5.220:8080/auth/realms/demo/protocol/saml?SAMLRequest=PHNhbWwycDpBdXRoblJlcXVlc3QgeG1sbnM6c2FtbDJwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cDovLzEwLjg2LjIzLjkyOjg4ODkvU0FNTC9wb3N0LXJlc3BvbnNlIiBEZXN0aW5hdGlvbj0iaHR0cDovLzE3Mi4yOC41LjIyMDo4MDgwL2F1dGgvcmVhbG1zL2RlbW8vcHJvdG9jb2wvc2FtbCIgRm9yY2VBdXRobj0iRmFsc2UiIElEPSJlMzU5MTRhMS1lNDI1LTRkOWQtOTlmZi0zNDcyZjIyMDA1MTYiIElzUGFzc2l2ZT0iRmFsc2UiIElzc3VlSW5zdGFudD0iMjAyMC0wMi0xMFQxMzo1NDo0Ni42NDg5MjczLTA2OjAwIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIFByb3ZpZGVyTmFtZT0iaHR0cDovLzEwLjg2LjIzLjkyOjg4ODkvU0FNTC9wb3N0LXJlc3BvbnNlIiBWZXJzaW9uPSIyLjAiPg0KICA8c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vMTAuODYuMjMuOTI6ODg4OS9TQU1ML3Bvc3QtcmVzcG9uc2U8L3NhbWwyOklzc3Vlcj4NCiAgPHNhbWwycDpOYW1lSURQb2xpY3kgQWxsb3dDcmVhdGU9IlRydWUiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiIC8%2BDQo8L3NhbWwycDpBdXRoblJlcXVlc3Q%2B

I was expecting the IdP to display the login page but it was just freezing and timeout.

Decode your SAML request with SAML Decoder - Online SAML Request-Response Decode Tool - Base64 - Inflate and you will see garbage at the end:

It doesn’t look like a valid SAML request, so I can imagine that Keycloak has a problem to decode that SAML request properly.

1 Like

Hi,

I have the same issue with an SP initiated SSO request and need some further help.

We also have some gargage at the end of the SAML requests.
During some test with SAML Decoder - Online SAML Request-Response Decode Tool - Base64 - Inflate I found that this seems to be due to a “+” to “%2B” conversion in the SAML request URL.

I initially thought this was OK because the translation was done by my SP when using http-redirect (it does not support http-post).
But now I’m kind of lost.

Could anyone shed some light on this ?

There’s a ‘urlsafe’ base64 mode and a defaut one. In the urlsafe encoding all ‘+’ and ‘/’ characters are replaced with ‘-’ and ‘_’.

Base64 - Wikipedia (the base64url format).

Maybe one of the actor doing this base64 encoding missed the ‘url’ flavor (for example in python you have to use urlsafe_b64encode() instead of b64encode()).

Thank you for your time and help.

So my SP should not use ‘%2B’ but instead ‘-’ to encore the SAML request ?

Yes, that’s it. And Also ‘_’ for ‘/’ charecters. But more precisely they should ensure they use the right base64Encode function (or option), which certainly exists in the language they use to make this conversion.