Invalid SAML Response (Invalid Destination)

Hi,

I’m trying to setup my new Keycloak installation to use a SAML identity provider like G Suite or Okta, but I keep getting this error:

21:26:58,640 WARN [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=tier0, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_saml_response, reason=invalid_destination

I get a page that looks like this:

To describe my setup a bit:

I have Keycloak running in Kubernetes. I am using Kubernetes Ingress to proxy requests to Keycloak. So, anything going to https://www.example.com/keycloak gets the keycloak suffix removed (via URL rewriting) and sent to the Keycloak server. I have the environment variable KEYCLOAK_FRONTEND_URL for the Keycloak Docker container set to https://tierzero-qa.ymeadows.com/keycloak/auth, so that it rewrites the URLs correctly for being behind a proxy. This works fine and I can access the admin URL, etc.

I’ve inspected the SAML authentication request sent to https://www.example.com/keycloak/auth/realms/my-realm/broker/my-provider/endpoint which returns a 400. The SAML XML contains:

<saml2p:Response Destination="https://www.example.com/keycloak/auth/realms/my-realm/broker/my-provider/endpoint" ID="id54247602897116181151547528" InResponseTo="ID_0f723e70-043b-42b3-991e-f7fe498b1c50" IssueInstant="2020-09-07T21:26:58.155Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

That destination URL matches the URL that the request is sent to. So, why is the destination considered invalid?

I’ve tried this with multiple IdPs (G Suite and Okta) and get the same problem in both cases.

Thank you!

Did you ever figure this out ? I have the same issue.

Yes, it was because I have Keycloak in Kubernetes behind an Ingress service. I’m using Nginx Ingress. I needed to configure use_forward_headers to true. I also had to ensure that the incoming connection came into Nginx Ingress via HTTPS and port 443.

This issue happens when Keycloak thinks that the URL it is being contacted on is different than the URL in the payload. You have to make sure that all the X-Forward-* headers are being sent correctly and that Keycloak is configured to use them. Otherwise it might think it’s at a different URL then it really is at.

Hi,
Can you give more technical info - the setting that you changed (Keycloak is configured to use them)?
I’m having this issue in 3 different settings…
EKS + istio 1.6
Openshift 4.6 + routes
Aks + istio 1.6

See Keycloak Documentation Chapter 9 Clustering > Setting Up a Load Balancer or Proxy