Please, bear with me. I have extracted all the elements from response for somebody with expertise to compare.
I can’t get Keycloak Identity Broker (kcloak-ext: bad) to accept response from external SAML IDP.
At the same another identical setup (kcloak-oos: good) with third instance of Keycloak as SAML IDP works fine and I can authenticate.
What I can only find is empty RelayState POST parameter, from external SAML IDP. Is it enough for the flow to fail?
Here are the HTTP POST: 400 (invalid request) items from failed flow, kcloak-ext instance:
Cookies:
AUTH_SESSION_ID=63420834-cfb2-4caa-987b-798917fa5fcb.keycloak-0
KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI4ZTVmYTBmNS00YTNhLTRlMzAtODAxNi1iMTdkMDE5NTRiOGYifQ.eyJjaWQiOiJhY2NvdW50IiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cHM6Ly9rY2xvYWstZXh0LmFvLWludGVybmFsLmluZnJhLWhvc3QuY29tL2F1dGgvcmVhbG1zL2V4dC1icm9rZXIvYWNjb3VudC9sb2dpbi1yZWRpcmVjdD9wYXRoPXNlc3Npb25zIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwczovL2tjbG9hay1leHQuYW8taW50ZXJuYWwuaW5mcmEtaG9zdC5jb20vYXV0aC9yZWFsbXMvZXh0LWJyb2tlciIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly9rY2xvYWstZXh0LmFvLWludGVybmFsLmluZnJhLWhvc3QuY29tL2F1dGgvcmVhbG1zL2V4dC1icm9rZXIvYWNjb3VudC9sb2dpbi1yZWRpcmVjdD9wYXRoPXNlc3Npb25zIiwic3RhdGUiOiIwLzE0YTA1ZTQ4LTE4ZDgtNGViMC04ZDQ2LWZmYmZlODI4MzQ1NSJ9fQ.-XcG3WZ9q5bkSr0DjH6hsrDFZx6Nq9RzVPbIdfb7J5w
Post Data:
"postData": {
"RelayState": [
""
],
"SAMLResponse": [
"(omitted)"
]
}
Saml response:
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
Keycloak Log:
WARN [org.keycloak.events] (default task-25) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=ext-broker, clientId=null, userId=null, ipAddress=10.0.3.101, error=invalidRequestMessage
And here are the HTTP POST: 302 (Found) items from positive flow, kcloak-oos instance:
Cookies:
AUTH_SESSION_ID=052550d6-a765-434f-a425-e96e13121e8b.keycloak-0;
KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhM2Y5MmI5Mi1iMmFjLTQyNDAtYjkyZC05ZmJiOTI1ZmJiOGQifQ.eyJjaWQiOiJhY2NvdW50IiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cHM6Ly9rY2xvYWstb29zLmFvLWludGVybmFsLmluZnJhLWhvc3QuY29tL2F1dGgvcmVhbG1zL2V4dC1icm9rZXIvYWNjb3VudC9sb2dpbi1yZWRpcmVjdD9wYXRoPXNlc3Npb25zIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwczovL2tjbG9hay1vb3MuYW8taW50ZXJuYWwuaW5mcmEtaG9zdC5jb20vYXV0aC9yZWFsbXMvZXh0LWJyb2tlciIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly9rY2xvYWstb29zLmFvLWludGVybmFsLmluZnJhLWhvc3QuY29tL2F1dGgvcmVhbG1zL2V4dC1icm9rZXIvYWNjb3VudC9sb2dpbi1yZWRpcmVjdD9wYXRoPXNlc3Npb25zIiwic3RhdGUiOiIwLzI2NmViZjBiLTc1NjEtNDQwNi1hNDM0LWMyOWVlYjZjYWZiOCJ9fQ.oZ9z9qtxfFXFFIc4B3CcH__x3_iYRLL9qjyG6m2bG0w
Post Data:
"postData": {
"RelayState": [
"ybHVQFfwzj2zcUFXo2bLEPW69KIHy6JnlnNPPUnzalU.CM9nKCnATKY.account"
],
"SAMLResponse": [
"(omitted)"
]
}
Saml Response:
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>