Hi I have set up the keycloak docker containers behind the aws loadbalancer with ACM SSL certificates. I have created a SAML Client for Zabbix SSO integration.
I am getting “Invalid redirect uri” on the keycloak sso page while adding “https://" on the “Valid Redirect URIs” field. "http://” is working fine. Using aws RDS Mariadb as database.
I have enabled “Require SSL” for “all request” on the Realm setting.
I have followed https://www.keycloak.org/2019/05/keycloak-cluster-setup.html with JDBC_PING and https://hub.docker.com/r/jboss/keycloak/
What is the full URL of that ‘keycloak sso page’. There is requested redirect url parameter and that one can be really http, so it may work as expected.
I am following https://www.zabbix.com/documentation/current/manual/web_interface/frontend_sections/administration/authentication#saml_authentication
“keycloak sso page” is https://id.mysite.net/auth/realms/master/protocol/saml?SAMLRequest=fVNNr9owELzzK1DuxAGUpFhARaEfSBQQ0B56eXLspVhK7DzvpvD66%2Bsk0EerJ3yxtJ4Zz47XYxRFXvJZRSezg%2BcKkDpdvy5FbpA3h5OgcoZbgRq5EQUgJ8n3s68rPggjXjpLVto8%2BI%2F2mCUQwZG2pqUtF5Ngs%2F642nxerp%2FepUKlqYqzZKRUMkxGo6GI4qjfj45HFcs0U5BGkZAt9Ts49DqTwMsGnVYNsYKlQRKGfD0aRL0o6Q2Gh37M44THox8tdeGb1UZQQz8RlcgZ0yokewYX4nOlnbOhAWLCx8MciLxAVggkcOzWN6ubbfW219IHbZQ2Px8nkLUg5F8Oh21vu9kfWpHZLZm5NVgV4PbgfmkJ33ar1qT3WFijyTpPf8Prb5Fl%2BsK8PFyeEG1Ynsr3QmIwbfTHtV%2FeROSmLXbM7muvqJKvve3lYmtzLV%2Baer0%2BWVcIetxdXdGqd2ygnJwwqMFQ8Fdkluf2PPeREkwCchUEXfbP1ddhBNWMpg%2BD4ELduS1K4TTWLwYXIena1Wtn9%2FB57udsB8fpw1GUXNY4X9767Wydqh8SpL%2F7UBsvraNrRG%2BKt67ZA9vTzu34%2Fp9N%2FwA%3D&RelayState=http%3A%2F%2Fmonitoring.mysite.net%2Fzabbix%2Findex_sso.php&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=fVMk9cjaGyFbcVE1kRX4CE5QxObXxJOJQjscENFHuW%2B6YvC4fxBNw6HoRT3HPbNlYiLo4DxKMcwpFdMehZ%2FPEUXQkv%2BLdOm2q0csJRtH%2FgRL1yge3MCSN%2BEJ35jQ2vEr6iMppqdPXUPX0OQYfWz%2B19EknQ4exi3qsQAxsO0mzO3wVRhvAm9JSp3M2evmIobd5G1y1YU6AlNL%2FVDQieJwwwHX4WglJjh%2BngfQbQY0yleYOqGfJ729khxa1t032C5%2FtHe3Z%2B03E64J6jABqdvvfTTVH7S4Qx5S8Q7v47T3gJQv%2BxaVdaxZWCrGOJjpfiImgfEB0Q9TnDqXcs2SzeJBQA%3D%3D
I can’t decode SAML request (probably encrypted), but see RelayState:
So I guess also SAML request requests redirect to http and not https - it is working as expected - not a Keycloak issue.
Blind guess: you are using reverse proxy with ssl offloading and you didn’t forwarded info that https must be used to the backend.
Problem seems to be in your infrastructure setup and not in the Keycloak. Maybe Zabbix frontend doesn’t support your setup (ssl offloading with SAML).
Thanks for the quick replay, let me check ssl offloading option
I have allowed http traffic on loadbalancer and now it works on http but on the ‘zabbix’ side “Username attribute” value causing issues, I am getting following error on zabbix due to this value
“The parameter “username” is missing from the user attributes.”
We may need “saml_username_attribute” value here. I tried all the values given on the doc https://www.zabbix.com/documentation/current/manual/web_interface/frontend_sections/administration/authentication#saml_authentication
From keycloak database:-
MariaDB [keycloak]> select * from USER_ATTRIBUTE \G;
*************************** 1. row ***************************
NAME: saml_username_attribute
VALUE: username
USER_ID: 5e913cc5-ab5c-4d73-97ab-6b85d03330ec
ID: 08152161-e0a9-4edf-9468-1f024c500eea
1 row in set (0.001 sec)
Thanks in advance
You should go to the client configuration and need to add an url pattern where you will be redirected after the authentication. You can check the url in the browser and there is a redirect_url= , so that should be added to your client configuration
I’ve been trying keycloak recently and my Valid Redirect URIs is https://… but when I try the test app, Keycloak is changing the redirect_uri to http instead. If I change the redirect_uri query string manually to https it works, but by default it is giving me a the error: Invalid parameter: redirect_uri.
How do I set it to redirect to https?
I used to have the same problem. I do not know exactly what, but the cause was in the settings of the
nginx.
Has there been a solution found for this? We are experiencing the same exact problem.
You need to do 2 things:
- configure your client app to pass the correct redirect url to keycloak (how that is done depends on the app)
- configure keycloak to accept this redirect url (never use too wide wildcard redirect uris here)
This is an important security measure to avoid redirecting to a wrong site that could intercept the tokens…
The only way I was able to get it to work was to use the “too wide wildcard redirect”. What could I be doing wrong?
enter the redirect url that your app is reporting…