Hi Everyone,
Sorry for the weird obsfucation… the forum doesn’t allow links in posts for new users… you’ll understand that the following h_t_t_p_s_ , [colon] and [dot] are respectively https://, : and .
I’m trying to setup Keycloak as an IDP for SAML protocol.
My SP is a simple PHP website, which uses the apache2 mod_auth_mellon.
Everything is running on docker, Keycloak image is exactly ‘jboss/keycloak[colon]12.0.2’
Everything works well. When a client access to /private URL, it’s redirected on Keycloak login page, but with the following URL… h_t_t_p_s_[colon]//192.168.0.16:8443/auth/realms/testrealm/protocol/saml?SAMLRequest=....
The problem is that i need to change that IP to the realm name, like sso.domain[dot]com. So, in my realm properties, i’ve tried to set the ‘Front-end URL’ with
'h_t_t_p_s_[colon]_/_/sso.domain[dot]local[colon]8443'
then update IDP.xml on my SP. The client redirects to the correct URL, i can see the SAML request sent to
'h_t_t_p_s_[colon]_/_/sso.domain[dot]local[colon]8443/realms/testrealm/protocol/saml?SAMLRequest=... ,
but that request end with an HTTP 404…. As you can see, it misses the /auth/ part in the URL, is that normal?!
I tried to change the parameter globally with the environment variable ‘KEYCLOAK_FRONTEND_URL’, to h_t_t_p_s_[colon]//sso.domain[dot]local[colon]8443 (tried with sso.domain[dot]com[colon]8443 as well) [colon] it causes the admin console to fail with the same ‘404 - not found’ error. The url which causes the 404 is exactly
h_t_t_p_s_[colon]_/_/sso.domain[dot]local[colon]8443/admin/
The debug log returns nothing than this:
20[colon]49[colon]23,243 DEBUG [io.undertow.request] (default I/O-3) Matched default handler path /admin/
Do you you guys have an idea?
Thanks in advance!
Arnaud
IdP metadata:
<md[colon]EntitiesDescriptor xmlns="urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]metadata" xmlns[colon]md="urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]metadata" xmlns[colon]saml="urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]assertion" xmlns[colon]ds="h_t_t_p_[colon]_/_/www.w3[dot]org/2000/09/xmldsig#" Name="urn[colon]keycloak">
<md[colon]EntityDescriptor xmlns="urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]metadata" xmlns[colon]md="urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]metadata" xmlns[colon]saml="urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]assertion" xmlns[colon]ds="h_t_t_p_[colon]_/_/www.w3[dot]org/2000/09/xmldsig#" entityID="h_t_t_p_s_[colon]_/_/sso.domain[dot]local[colon]8443/realms/domain[dot]com">
<md[colon]IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]protocol">
<md[colon]KeyDescriptor use="signing">
<ds[colon]KeyInfo>
<ds[colon]KeyName>9JIIIeE-bsi3atYo8Air1fhPBEPsjlCtDHf7YumPrBM</ds[colon]KeyName>
<ds[colon]X509Data>
<ds[colon]X509Certificate>MIICpzCCAY8CBgF3OzuU9TANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxlc2Rvd24ubG9jYWwwHhcMTI1MjAyODE2WjAXMRUwEwYDVQQDDAxlc2Rvd24ubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1H/WsquW+rbjNju3XjM1wfuscOFIozauXEWOyG+TYS//ElXDL6n618rzX+S0KEI2Tk5gKo0DtG+HwIFpQfWmAE3EdlPGD+Te7zHG3TNpyDA5tOaMCsW/1A9OkAJ8cytLfsZ/LysnRjm8uP7noyfCgf7YTez9mN1REaCTv/sE5Czh7FxmoPzPRW3P7UmMoDXHs9fGFj1vgA6FWIhP8cE2h0U0nPsfmIpD4NiksI6s8ArqUx85Ad8FMzv9E1nupqFdiLjAjwzBj4bdS5qcgYHyxDO6dvS+f7qz/hJwepa2yYMvLvmUfiTAqCni4qU+p5LoLVnyfJ8kbDm5KjqsdzPB3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHp/zHj5q2frlNdTh9W2Hte3TEBTO4ZQ9L4alUzhn1FJdsjI5N+G6HwAXop1+pB5b3Nmm30je+MXNirvon0Wnr7UfHnu65z1wK45NmM1hqjC3OxZ47ZpHVNWIuIuS5V8hq33PAS/QE+ZGrw252zs1aFtqLPNGwHivDbe5tKauSm8xvIOeyZRyVd6VQwQrERWGXoyLnswtAmxSl6IA8BUb8NwkLIHrzcjCGLa6BkSOfrrLuKjHaJ3QwTdlpty9mSKrUXuRuySjqF+al+oNBjwUMWdHdRPRJtqMijF/6FxWGV2D+WKsDPWE8cHYViKmxq6pST4iG3L2+pemelmLyK5K4E=</ds[colon]X509Certificate>
</ds[colon]X509Data>
</ds[colon]KeyInfo>
</md[colon]KeyDescriptor>
<md[colon]SingleLogoutService Binding="urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]bindings[colon]HTTP-POST" Location="h_t_t_p_s_[colon]_/_/sso.domain[dot]local[colon]8443/realms/domain[dot]com/protocol/saml"/>
<md[colon]SingleLogoutService Binding="urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]bindings[colon]HTTP-Redirect" Location="h_t_t_p_s_[colon]_/_/sso.domain[dot]local[colon]8443/realms/domain[dot]com/protocol/saml"/>
<md[colon]NameIDFormat>urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]nameid-format[colon]persistent</md[colon]NameIDFormat>
<md[colon]NameIDFormat>urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]nameid-format[colon]transient</md[colon]NameIDFormat>
<md[colon]NameIDFormat>urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]1.1[colon]nameid-format[colon]unspecified</md[colon]NameIDFormat>
<md[colon]NameIDFormat>urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]1.1[colon]nameid-format[colon]emailAddress</md[colon]NameIDFormat>
<md[colon]SingleSignOnService Binding="urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]bindings[colon]HTTP-POST" Location="h_t_t_p_s_[colon]_/_/sso.domain[dot]local8443/realms/domain[dot]com/protocol/saml"/>
<md[colon]SingleSignOnService Binding="urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]bindings[colon]HTTP-Redirect" Location="h_t_t_p_s_[colon]_/_/sso.domain[dot]local[colon]8443/realms/domain[dot]com/protocol/saml"/>
<md[colon]SingleSignOnService Binding="urn[colon]oasis[colon]names[colon]tc[colon]SAML[colon]2.0[colon]bindings[colon]SOAP" Location="h_t_t_p_s_[colon]_/_/sso.domain[dot]local[colon]8443/realms/domain[dot]com/protocol/saml"/>
</md[colon]IDPSSODescriptor>
</md[colon]EntityDescriptor>
</md[colon]EntitiesDescriptor>
Still have the issue…