Invalid redirect uri for "Valid Redirect URIs with https://*"

Hi I have set up the keycloak docker containers behind the aws loadbalancer with ACM SSL certificates. I have created a SAML Client for Zabbix SSO integration.
I am getting “Invalid redirect uri” on the keycloak sso page while adding “https://" on the “Valid Redirect URIs” field. "http://” is working fine. Using aws RDS Mariadb as database.
I have enabled “Require SSL” for “all request” on the Realm setting.
I have followed https://www.keycloak.org/2019/05/keycloak-cluster-setup.html with JDBC_PING and https://hub.docker.com/r/jboss/keycloak/

What is the full URL of that ‘keycloak sso page’. There is requested redirect url parameter and that one can be really http, so it may work as expected.

I am following https://www.zabbix.com/documentation/current/manual/web_interface/frontend_sections/administration/authentication#saml_authentication
“keycloak sso page” is https://id.mysite.net/auth/realms/master/protocol/saml?SAMLRequest=fVNNr9owELzzK1DuxAGUpFhARaEfSBQQ0B56eXLspVhK7DzvpvD66%2Bsk0EerJ3yxtJ4Zz47XYxRFXvJZRSezg%2BcKkDpdvy5FbpA3h5OgcoZbgRq5EQUgJ8n3s68rPggjXjpLVto8%2BI%2F2mCUQwZG2pqUtF5Ngs%2F642nxerp%2FepUKlqYqzZKRUMkxGo6GI4qjfj45HFcs0U5BGkZAt9Ts49DqTwMsGnVYNsYKlQRKGfD0aRL0o6Q2Gh37M44THox8tdeGb1UZQQz8RlcgZ0yokewYX4nOlnbOhAWLCx8MciLxAVggkcOzWN6ubbfW219IHbZQ2Px8nkLUg5F8Oh21vu9kfWpHZLZm5NVgV4PbgfmkJ33ar1qT3WFijyTpPf8Prb5Fl%2BsK8PFyeEG1Ynsr3QmIwbfTHtV%2FeROSmLXbM7muvqJKvve3lYmtzLV%2Baer0%2BWVcIetxdXdGqd2ygnJwwqMFQ8Fdkluf2PPeREkwCchUEXfbP1ddhBNWMpg%2BD4ELduS1K4TTWLwYXIena1Wtn9%2FB57udsB8fpw1GUXNY4X9767Wydqh8SpL%2F7UBsvraNrRG%2BKt67ZA9vTzu34%2Fp9N%2FwA%3D&RelayState=http%3A%2F%2Fmonitoring.mysite.net%2Fzabbix%2Findex_sso.php&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=fVMk9cjaGyFbcVE1kRX4CE5QxObXxJOJQjscENFHuW%2B6YvC4fxBNw6HoRT3HPbNlYiLo4DxKMcwpFdMehZ%2FPEUXQkv%2BLdOm2q0csJRtH%2FgRL1yge3MCSN%2BEJ35jQ2vEr6iMppqdPXUPX0OQYfWz%2B19EknQ4exi3qsQAxsO0mzO3wVRhvAm9JSp3M2evmIobd5G1y1YU6AlNL%2FVDQieJwwwHX4WglJjh%2BngfQbQY0yleYOqGfJ729khxa1t032C5%2FtHe3Z%2B03E64J6jABqdvvfTTVH7S4Qx5S8Q7v47T3gJQv%2BxaVdaxZWCrGOJjpfiImgfEB0Q9TnDqXcs2SzeJBQA%3D%3D

I can’t decode SAML request (probably encrypted), but see RelayState:


So I guess also SAML request requests redirect to http and not https - it is working as expected - not a Keycloak issue.

Blind guess: you are using reverse proxy with ssl offloading and you didn’t forwarded info that https must be used to the backend.

Problem seems to be in your infrastructure setup and not in the Keycloak. Maybe Zabbix frontend doesn’t support your setup (ssl offloading with SAML).

Thanks for the quick replay, let me check ssl offloading option

I have allowed http traffic on loadbalancer and now it works on http but on the ‘zabbix’ side “Username attribute” value causing issues, I am getting following error on zabbix due to this value

“The parameter “username” is missing from the user attributes.”

We may need “saml_username_attribute” value here. I tried all the values given on the doc https://www.zabbix.com/documentation/current/manual/web_interface/frontend_sections/administration/authentication#saml_authentication
From keycloak database:-
MariaDB [keycloak]> select * from USER_ATTRIBUTE \G;
*************************** 1. row ***************************
NAME: saml_username_attribute
VALUE: username
USER_ID: 5e913cc5-ab5c-4d73-97ab-6b85d03330ec
ID: 08152161-e0a9-4edf-9468-1f024c500eea
1 row in set (0.001 sec)

Thanks in advance

You should go to the client configuration and need to add an url pattern where you will be redirected after the authentication. You can check the url in the browser and there is a redirect_url= , so that should be added to your client configuration

I’ve been trying keycloak recently and my Valid Redirect URIs is https://… but when I try the test app, Keycloak is changing the redirect_uri to http instead. If I change the redirect_uri query string manually to https it works, but by default it is giving me a the error: Invalid parameter: redirect_uri.
How do I set it to redirect to https?