Hello Guys,
I have setup Keycloak (19.0.1) as an IDP doing identity brokering to 6 other SAML IDPs.
Some of them work without any issue but one of them is breaking my nerves.
At the beginning I was receiving:
ERROR [org.keycloak.broker.saml.SAMLEndpoint] (executor-thread-10) Response Issuer validation failed: expected urn:mace:cru.fr:federation:unice.fr, actual https://www.rediris.es/sir/usidp
I thought it was strange, it was as if a setting from one of my IDPs (unice) was taken as part of the configuration for another idp (rediris).
So I removed the issuer just to see and it works, rediris IDP goes one step further:
ERROR [org.keycloak.broker.saml.SAMLEndpoint] (executor-thread-0) no principal in assertion; expected: FRIENDLY_ATTRIBUTE(mail)
Obviously, both IDPs don’t have the same assertion content and conventions.
So I changed the assertion needed for the first one (unice) and suddenly my second IDP (rediris) goes forward but try to apply the mappers of the first one (and fails of course).
I have restarted the app, tested plenty of things, do you have any idea of how I could test further or fix it?
cheers,
JLo