I’m trying to setup my new Keycloak installation to use a SAML identity provider like G Suite or Okta, but I keep getting this error:
21:26:58,640 WARN [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=tier0, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_saml_response, reason=invalid_destination
I get a page that looks like this:
To describe my setup a bit:
I have Keycloak running in Kubernetes. I am using Kubernetes Ingress to proxy requests to Keycloak. So, anything going to
https://www.example.com/keycloak gets the
keycloak suffix removed (via URL rewriting) and sent to the Keycloak server. I have the environment variable
KEYCLOAK_FRONTEND_URL for the Keycloak Docker container set to
https://tierzero-qa.ymeadows.com/keycloak/auth, so that it rewrites the URLs correctly for being behind a proxy. This works fine and I can access the admin URL, etc.
I’ve inspected the SAML authentication request sent to
https://www.example.com/keycloak/auth/realms/my-realm/broker/my-provider/endpoint which returns a 400. The SAML XML contains:
<saml2p:Response Destination="https://www.example.com/keycloak/auth/realms/my-realm/broker/my-provider/endpoint" ID="id54247602897116181151547528" InResponseTo="ID_0f723e70-043b-42b3-991e-f7fe498b1c50" IssueInstant="2020-09-07T21:26:58.155Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
That destination URL matches the URL that the request is sent to. So, why is the destination considered invalid?
I’ve tried this with multiple IdPs (G Suite and Okta) and get the same problem in both cases.