I hope this isn’t a duplicate post, but since I couldn’t find an answer to my issue, I assume it’s not.
I’m encountering a problem with my Keycloak server, which I use to manage user identities. Specifically, I use this Keycloak instance to log users into AWS through a SAML trusted policy. This works with some specific configurations.
However, the issue arises when I attempt to get the assertion from my client. I encounter the error mentioned in the title, along with the following server log message:
SAML assertion consumer URL not set up
In my SAML request, the samlp:AuthnRequest contains a properly filled AssertionConsumerServiceURL. The process works when I manually set the “Assertion Consumer Service POST Binding URL” in Keycloak. However, this approach is impractical because it effectively hardcodes the value, which is inconvenient in a development environment.
I would like to dynamically configure valid URLs in the settings page instead. I’ve experimented with configurations such as * and myapp/*, +, but neither seems to resolve the issue.
I suspect there is a misconfiguration on my end, but I can’t pinpoint it. I’d greatly appreciate any guidance or suggestions to resolve this problem.
Recap of what I did:
Set Valid URL : * and myapp/*, +
Set Assertion Consumer Service POST Binding URL
Change client callback url
Check my SAML request using SamlTool
About the code and the config I did:
Using ExpressJs And Passport Saml
passport.use(
new SamlStrategy(
{
path: "/login/callback",
entryPoint: "https://mykeycloak.fr/realms/realm/protocol/saml/clients/keycloack_realm",
issuer: "urn:amazon:webservices",
idpCert: idpCert,
callbackUrl: "http://localhost:3001/login/callback",
wantAuthnResponseSigned: true,
wantAssertionsSigned: true,
validateInResponseTo: 'never',
acceptedClockSkewMs: 5000,
debug: true,
},
function (profile, done) {
console.log("SAML Profile:", profile);
return done(null, profile);
}
)
);
app.get("/login",
passport.authenticate("saml", { failureRedirect: "/", failureFlash: true }),
(req, res) =>{ res.redirect("/");},
);
I also did a try with node-saml
const options = {
callbackUrl: "http://localhost:3001/login/callback/node-saml",
entryPoint: "https://mykeycloak.fr/realms/realm/protocol/saml/clients/keycloack_realm",
issuer: "urn:amazon:webservices",
idpCert: idpCert,
wantAssertionsSigned: true,
acceptedClockSkewMs: 5000,
};
const saml = new SAML(options);
app.get("/login/node-saml", async (req, res) => {
try {
res.redirect(await saml.getAuthorizeUrlAsync({}));
} catch (err) {
res.status(500).send("Failed to generate login URL");
}
});
<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_5a4dd930b4520f618357b68e73543e919123b81f" Version="2.0" IssueInstant="2025-01-29T18:28:35.659Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Destination="https://mykeycloak.fr/realms/realm/protocol/saml/clients/keycloack_realm" AssertionConsumerServiceURL="http://localhost:3001/login/callback">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:amazon:webservices
</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
I want to use AssertionConsumerServiceURL from this auth request as destination URL instead of having to set a master url or specific ACS one on keycloak directly
About the Keycloak Config:
-
Client ID: urn:amazon:webservices
-
Name: keycloack_realm
-
Home URL: https://mykeycloak.fr/realms/realm/protocol/saml/clients/keycloack_realm
-
IDP-Initiated SSO URL name: keycloack_realm
Keycloak Version: 26.0.6