No user name or email address passing in from SAML through User Principal

Configuring the server
1

Hello Everyone,
Please be gentle. I am a complete noob to Keycloak.
I am trying to configure Keycloak SAML to send a User Principal of either the user name, email, id, etc. etc. to IBM’s TRIRIGA application through WebSphere Network Deployment 9.0.0.11. I am able to authenticate to Keycloak and being redirected to the TRIRIGA application but I do not see any user information through the User Principal variables. I receive this error message from the WebSphere server.

12/19/19 11:33:46:585 PST] 000000d9 FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /home/jogee/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_88875f97_19.12.19_11.33.46.5813821301036171484864.txt com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation 519
[12/19/19 11:33:46:585 PST] 000000d9 WebAuthentica E SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: com.ibm.wsspi.wssecurity.core.SoapSecurityException
at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.createTAIErrorResult(ACSTrustAssociationInterceptor.java:784)
at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.invokeTAIbeforeSSO(ACSTrustAssociationInterceptor.java:623)
at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.negotiateValidateandEstablishTrust(ACSTrustAssociationInterceptor.java:397)
at com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablishedTrust(TAIWrapper.java:103)

Caused by: com.ibm.websphere.security.WebTrustAssociationFailedException: com.ibm.wsspi.wssecurity.core.SoapSecurityException
at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.createTAIErrorResult(ACSTrustAssociationInterceptor.java:775)
… 34 more
. Make sure that the setup is correct and that the user credentials are valid.

I do see the attributes being passed in within the logs.

SAML XML snippet.
<saml:AttributeValue xmlns:xs="" xmlns:xsi="" xsi:type=“xs:string”>Jose</saml:AttributeValue></saml:Attribute>

<saml:Attribute FriendlyName=“username” Name=“username” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:uri”><saml:AttributeValue xmlns:xs="" xmlns:xsi="" xsi:type=“xs:string”>system</saml:AttributeValue></saml:Attribute>

<saml:Attribute Name=“uid” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:uri”><saml:AttributeValue xmlns:xs="" xmlns:xsi="" xsi:type=“xs:string”>system</saml:AttributeValue>
</saml:Attribute>

Any suggestions? Any extra logs to view?

Thanks!
Jose

2

Hello everyone,
I figured out what the issues were and I now I able to authenticate to the TRIRIGA application.

  1. I have to set the Name ID format property.
    Keycloak admin -> Clients -> SAML client name (mine was tririga-saml) -> Name ID Format.

This can be an email address but my setup I used the username property.

  1. On the WebSphere side, I need to have the EntityID for the Service Provider (SP). The EntityID is the SAML Client ID name.

Login to the WebSphere Admin Console. On the left side menu go to Security -> Global Security

Under the Authentication section, expand the Web and SIP security tree. Select Trust association.

Click on the Interceptors link.

Under Custom properties, fill in the following custom property information:

Add the following property.
Name: sso_1.sp.EntityID
Value: tririga-saml (This is the SAML Client ID from Keycloak. Login to the Keycloak admin console. Click on the Clients link on the left side of the menu. The name is your Client ID of your SAML client setup. In my example I used the name, tririga-saml)

I then went to the “IDP Initiated SSO URL Name” URL and I successfully logged on to TRIRIGA.

Hope this helps someone.

Jose