Getting "invalid_saml_response reason: invalid_destination" error in Keycloak 11 (kubernetes)

Hi everyone,

I’m dealing with an issue for more than a week without being able to solve it. I have Keycloak deployed in a Kubernetes cluster and trying to so a SAML login through IDP. When I send the saml request from my IDP I see the error “Invalid Request” and on the Keycloak logs I see:

type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=cdc88f3a-5cc8-4f96-bab6-8ce0b7340a86, clientId=null, userId=null, error=invalid_saml_response, reason=invalid_destination, requestUri=http://keycloak.domain.com/auth/realms/mgmt-keycloak/broker/test/endpoint/clients/test-saml

but I’m on the SAML request and response XML I have:

.... Destination="https://keycloak.domain.com/auth/realms/mgmt-keycloak/broker/test/endpoint/clients/test-saml"

It seems that the problem is the http !== https but I can’t find a way to make the requestUri be always “https”. On version 4.8.3 I had the “fixed” hostname with alwaysHttps = true but now I can’t do that.

This is part of the configuration I’m trying to make it work:

/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true)
/subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.frontendUrl,value="https://keycloak.domain.com/auth")
/subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.forceBackendUrlToFrontendUrl,value=true)

My kubernetes service manifest is sending traffic from port 80 to port 8080 of keycloak. I tried sending it to port 8443 but didn’t work.

Does someone have any clue what I’m doing wrong?

1 Like