Problem integrating GitHub as client

Hello,

In my organization we are trying to integrate GitHub to use keycloak as IDP. The problem is that we are obtaining the error “Failed: Digest mismatch, InResponseTo was invalid or missing” and we are not able to fix it, neither to see what is wrong in the configuration as it seems to be correct.

We are also wondering if keycloak is supported as IDP for GitHub

Have any of you ever integrated GitHub with keycloak? If so, how did you do it?

Thank you in advance BR

@ dballestlh
Yes, I have done it. Kindly share your steps I will correct the step.

Hello,

First of all, many thank for your reply.

The steps that we followed have been:

Create the client in Keycloak whose configuration I am pasting here:

{
    "clientId": "https://github.com/orgs/OUR_ORG",
    "name": "GitHub EITS-LH",
    "adminUrl": "",
    "baseUrl": "/auth/realms/LafargeHolcim/protocol/saml/clients/CLIENt_NAME",
    "surrogateAuthRequired": false,
    "enabled": true,
    "alwaysDisplayInConsole": false,
    "clientAuthenticatorType": "client-secret",
    "redirectUris": [
        "https://github.com/"
    ],
    "webOrigins": [],
    "notBefore": 0,
    "bearerOnly": false,
    "consentRequired": false,
    "standardFlowEnabled": true,
    "implicitFlowEnabled": false,
    "directAccessGrantsEnabled": false,
    "serviceAccountsEnabled": false,
    "publicClient": false,
    "frontchannelLogout": true,
    "protocol": "saml",
    "attributes": {
        "saml.assertion.signature": "true",
        "saml_idp_initiated_sso_relay_state": "https://github.com/orgs/OUR_ORG/saml/consume",
        "saml_assertion_consumer_url_redirect": "",
        "saml.force.post.binding": "true",
        "saml.multivalued.roles": "false",
        "saml.encrypt": "false",
        "login_theme": "base",
        "saml_assertion_consumer_url_post": "https://github.com/orgs/OUR_ORG/saml/consume",
        "saml.server.signature": "true",
        "saml_idp_initiated_sso_url_name": "CLIENT_NAME",
        "saml.server.signature.keyinfo.ext": "false",
        "exclude.session.state.from.auth.response": "false",
        "saml.signing.certificate": "OUR_CERT",
        "saml.signature.algorithm": "RSA_SHA256",
        "saml_force_name_id_format": "false",
        "saml.client.signature": "false",
        "tls.client.certificate.bound.access.tokens": "false",
        "saml.authnstatement": "true",
        "display.on.consent.screen": "false",
        "saml.signing.private.key": "OUR_PK",
        "saml_name_id_format": "username",
        "saml.onetimeuse.condition": "false",
        "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#"
    },
    "authenticationFlowBindingOverrides": {},
    "fullScopeAllowed": true,
    "nodeReRegistrationTimeout": -1,
    "defaultClientScopes": [
        "web-origins",
        "profile",
        "roles",
        "email"
    ],
    "optionalClientScopes": [
        "address",
        "phone",
        "offline_access",
        "microprofile-jwt"
    ],
    "access": {
        "view": true,
        "configure": true,
        "manage": true
    }
}

And then, in GIT, we set the certificate, and the entity of keycloak, nothing too special

Thank you!

Hello @pkadian :slight_smile:

Any update, we are blocked

Thank you in advance

Dear dballestlh,

Why you want to add GitHub as a client in Keycloak use it as an Identity provider. Keycloak is already providing the feature to register the Github as IDP hence, users can directly register you do not need the register every user into the realm.

To register as an IDP select Identity provider and add the entries respectively. Follow below links for configuration.

https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/identity-broker/social/github.html

https://www.keycloak.org/docs/latest/server_admin/

Hello,

No, our approach is not that. We use Google as IdP and we do need to use our corporate solution (Google) to register users in GitHub. Actually users are registered in a free way in git which is violating our policies, so we need it as client.

Thx

Dear dballestlh,

A user can not directly register in keycloak till you will not add the user into your account.
Only the registered users can access the application. For this you have to create an organisation and users inside that organisation can login others not.

Hello,

Yes, In fact, we are using Keycloak as IdP for many other applications such as AWS.

We use Google as our IdP and AD for federation to authorize users in applications, so our users are correctly created, the problem is that our integration with Git does not work.

BR

@pkadian Were you able to resolve this?

We are trying to add our Keycloak as a SAML IdP to GitHub but after putting in the configurations, we receive an error “Failed : InResponseTo was invalid or missing”

If resolved, can post the solution here?