Hello Keycloak community,
I’m a software developer for a municipal data center and I’ve run into an issue when trying to connect Keycloak v 22.0.4 with Elster’s NEZO interface (mein-unternehmenskonto.de). Upon being redirected back to Keycloak from the Identity Provider, I receive an “Invalid Requester” error. Diving deeper into the server logs, I found:
ERROR [org.keycloak.broker.saml.SAMLEndpoint] (executor-thread-133) validation failed
WARN [org.keycloak.events] (executor-thread-133) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=[MY-REALM_ID], clientId=null, userId=null, ipAddress=10.0.100.243, error=invalid_signature
I tried troubleshooting by checking the configuration in Keycloak itself. I even turned off the “Validate Signature” option in the Identity Provider configuration, thinking this might bypass the validation. However, I’m still facing the same error. It’s worth noting that I encountered this same problem in Keycloak 21.1.2 as well.
If anyone has successfully integrated their service via NEZO (Elster/mein-unternehmenskonto.de) with Keycloak, your insights would be invaluable. I can provide more detailed settings information if needed.
Thank you in advance!
1 Like
Hello Keycloak community,
I wanted to provide an update on the issue I was facing with the integration of Keycloak and Elster’s NEZO interface (mein-unternehmenskonto.de). Thanks to a helpful tip from the “IT-Systemhaus der Bundesagentur für Arbeit - Nürnberg,” I was able to resolve the problem without extensive troubleshooting.
Initially, I was focused on the “Validate Signature” setting, but it turns out the key difference was in the “Want Assertions signed” setting. I had to set it to “false” to make the integration work correctly.
For those who might encounter a similar issue, here’s an example configuration that worked for me:
identityProviders:
- addReadTokenRoleOnCreate: false
alias: uk
authenticateByDefault: false
config:
addExtensionsElementWithKeyInfo: false
allowCreate: true
allowedClockSkew: 0
attributeConsumingServiceIndex: 0
backchannelSupported: false
enabledFromMetadata: true
encryptionAlgorithm: RSA-OAEP
encryptionPublicKey: MIIF...l01E=
entityId: https://interne-keycloak-umgebung
forceAuthn: false
idpEntityId: https://e4k-portal.een.elster.de
loginHint: false
nameIDPolicyFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
postBindingAuthnRequest: true
postBindingLogout: true
postBindingResponse: true
principalType: Subject NameID
signSpMetadata: false
signatureAlgorithm: RSA_SHA256_MGF1
signingCertificate: MIIF...5XQs=
singleLogoutServiceUrl: https://e4k-portal.een.elster.de/ekona/slo
singleSignOnServiceUrl: https://e4k-portal.een.elster.de/ekona/sso
validateSignature: true
wantAssertionsEncrypted: false
wantAssertionsSigned: false
wantAuthnRequestsSigned: true
xmlSigKeyInfoKeyNameTransformer: KEY_ID
enabled: true
firstBrokerLoginFlowId: firstBrokerLogin
linkOnly: false
providerId: saml
storeToken: false
trustEmail: false
I based my solution on this configuration, and it worked for me. I hope it works for others who may face a similar challenge in the future.
2 Likes