SAML Identity Provider

Hey everyone,

I’m trying to configure Shibboleth authentication via a SAML identity provider and I can’t make it work.

I have successfully synchronized the users from the Active Directory on read only mode and I am redirected to my IdP login page when I try to acces the platform’s login page in which I am trying to configure this, as I should be.

After I login on my IdP for the first time, I am redirected to a page on Keycloak where I have to put my credentials again and it says that it is going to link my account to my IdP. After I do that, I get a page on Keycloak saying “Unexpected error when authenticating with identity provider” and the logs say:
org.keycloak.storage.ReadOnlyException: Federated storage is not writable
at org.keycloak.keycloak-ldap-federation@9.0.2//org.keycloak.storage.ldap.ReadonlyLDAPUserModelDelegate.setEmail(ReadonlyLDAPUserModelDelegate.java:54)

If I try to login again on my IdP, it’ll go straight to a page on Keycloak saying “An internal server error has occurred” and the logs say:
org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider.
at org.keycloak.keycloak-services@9.0.2//org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:494)

Does anyone what I should do to solve this?

Thanks in advance.

Facing the same issue. Did you ever solved this?

No, I didn’t. Sorry I can’t help.

I think the error message points to the LDAP being configured as “READ_ONLY”, but it seems the initial user login wants to associate an “email” address field with the user by writing a value? You can try setting the LDAP user federation to “UNSYNCED”, maybe that will help. That way users synced from LDAP can change within Keycloak, but changes are not fed back into AD.

Looks like the ADFS identityprovider initiated login page that i used for testing is causing this.
Actually SAML login works fine if go to the regular login page and select saml login

Sorry to resurrect this old topic but I am facing the same issue. Is “UNSYNCED” a feasible solution or is there another one? I don’t think this bug has ever been fixed