Internal error on configuration of Slack SAML SSO with Keycloak

I got this error on the keyCloak, while trying to test configuration:

We are sorry…

An internal server error has occurred

Docker logs:

15:54:45,180 DEBUG [io.undertow.request] (default I/O-12) Matched prefix path /auth for path /auth/realms/master/protocol/saml/resolve
15:54:45,181 DEBUG [io.undertow.request.security] (default task-8) Attempting to authenticate /auth/realms/master/protocol/saml/resolve, authentication required: false
15:54:45,181 DEBUG [io.undertow.request.security] (default task-8) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@431ad8b4 for /auth/realms/master/protocol/saml/resolve
15:54:45,181 DEBUG [io.undertow.request.security] (default task-8) Authentication result was ATTEMPTED for /auth/realms/master/protocol/saml/resolve
15:54:45,181 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-8) RESTEASY002315: PathInfo: /realms/master/protocol/saml/resolve
15:54:45,182 DEBUG [freemarker.cache] (default task-8) Couldn't find template in cache for "error.ftl"("en_US", UTF-8, parsed); will try to load it.
15:54:45,183 DEBUG [freemarker.cache] (default task-8) TemplateLoader.findTemplateSource("error_en_US.ftl"): Not found
15:54:45,183 DEBUG [freemarker.cache] (default task-8) TemplateLoader.findTemplateSource("error_en.ftl"): Not found
15:54:45,183 DEBUG [freemarker.cache] (default task-8) TemplateLoader.findTemplateSource("error.ftl"): Found
15:54:45,183 DEBUG [freemarker.cache] (default task-8) Loading template for "error.ftl"("en_US", UTF-8, parsed) from "file:/opt/jboss/keycloak/themes/base/login/error.ftl"
15:54:45,184 DEBUG [freemarker.cache] (default task-8) Couldn't find template in cache for "template.ftl"("en_US", UTF-8, parsed); will try to load it.
15:54:45,184 DEBUG [freemarker.cache] (default task-8) TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
15:54:45,184 DEBUG [freemarker.cache] (default task-8) TemplateLoader.findTemplateSource("template_en.ftl"): Not found
15:54:45,184 DEBUG [freemarker.cache] (default task-8) TemplateLoader.findTemplateSource("template.ftl"): Found
15:54:45,184 DEBUG [freemarker.cache] (default task-8) Loading template for "template.ftl"("en_US", UTF-8, parsed) from "file:/opt/jboss/keycloak/themes/base/login/template.ftl"
15:54:45,196 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-8) MessageBodyWriter: org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey
15:54:45,196 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-8) MessageBodyWriter: org.jboss.resteasy.plugins.providers.StringTextStar
15:54:45,196 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-8) MessageBodyWriter: org.jboss.resteasy.plugins.providers.StringTextStar
15:54:45,196 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-8) Interceptor Context: org.jboss.resteasy.core.interception.ServerWriterInterceptorContext,  Method : proceed
15:54:45,196 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-8) WriterInterceptor: org.jboss.resteasy.security.doseta.DigitalSigningInterceptor
15:54:45,196 DEBUG [org.jboss.resteasy.security.doseta.i18n] (default task-8) Interceptor : org.jboss.resteasy.security.doseta.DigitalSigningInterceptor,  Method : aroundWriteTo
15:54:45,196 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-8) Interceptor Context: org.jboss.resteasy.core.interception.ServerWriterInterceptorContext,  Method : proceed
15:54:45,196 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-8) MessageBodyWriter: org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey
15:54:45,196 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-8) MessageBodyWriter: org.jboss.resteasy.plugins.providers.StringTextStar

Check your Keycloak logs again, pls. There is error, but you published only some debug lines and not error/warn lines.

Check docker logs, please .

When YOU asked someone to help, it is definetely good idea that YOU provide all details and logs, because that SOMEONE may not have a time may not to be paid for that) to replicate your issue. But you are lucky I spent my time to run it and result:

[root@dockerhost ~]# docker logs my-keycloak > logs
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.wildfly.extension.elytron.SSLDefinitions (jar:file:/opt/jboss/keycloak/modules/system/layers/base/org/wildfly/extension/elytron/main/wildfly-elytron-integration-15.0.1.Final.jar!/) to method com.sun.net.ssl.internal.ssl.Provider.isFIPS()
WARNING: Please consider reporting this to the maintainers of org.wildfly.extension.elytron.SSLDefinitions
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[root@dockerhost ~]# wc -l logs
65095 logs

My keycloak test container generated 65095 log lines in this case, which is 2712x more than you have provided. So do you really think that your Keycloak container generated only 24 DEBUG lines?

You have wrong issuer and also SAML SSO URL. That /resolve is really not a valid Keycloak endpoint, so it generates error (you can find the logs what kind of error). You will find correct values in your SAML IDP metadata on this endpoint:

Generated SAML request doesn’t match configured details of any SAML client in the Keycloak. It can be anything different client ID (entity ID), request can be signed (and encrypted) by cert, which is not configured in the Keycloak client configuration, …

It looks like you are guessing and trying something without reading documentation. Quick google and:

That really doesn’t look like what you have provisioned:

SAML request contains request with client ID/entity ID https://slack.com, which doesn’t exist. Keycloak error response client not found is 100% correct.

I would recommend to read doc: Custom SAML single sign-on | Slack also Certificates section can be a problem.

I bet your keys are wrong:

or SAML request is not signed, then Client Signature Required: ON client config doesn’t make sense and it should be disabled.

I bet you will have more problems further. SAML can be a pain. I would consider to hire someone to do your task.