SAML SSO - Keycloak - Bad Request with ACM Certificates

Hello Folks!

Hope everyone is doing well ! Need your assistance on an issue described below:

Integrating Google SSO + Keycloak Auth to our product using ACM issued SSL public certificate.
https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html

When we usually deploy the product via non ACM issued certificates. We have access to the private key of the certificate bundle, which we upload within our product that let’s SSL pass through as expected.

(Note: Tried using a different SSO provider as well, the error remains the same)

Flow: ACM (or self-signed or private certificates) → NLB → nginx-ingress + keycloak (helm charts) on EKS

But with ACM I do understand there is no private key access. And, we have tried SSL termination on our NLB and route traffic to our cluster via TLS policy and attached the ACM certificate.

We also tried the following:

  • Invalid SAML Response (Invalid Destination) (forward all traffic from nginx ingress)
  • Add the following to keycloak:
    PROXY_ADDRESS_FORWARDING = true
    and
    KEYCLOAK_FRONTEND_URL = enter your front end URL path starting with https
  • Toggle between SSL for “all”, “external”, “none” traffic and clear cache on Keycloak

But none of which have been successful.

We continue to get a Bad Request (400) / invalidFederatedIdentityActionMessage

Some differences between ACM issued vs Private Key uploaded certs SAML Request Headers:


There are missing keynames in the Request Header e.g. :method, authority, scheme missing on the left> Also, case of the keynames different between the two

Also, the entire section called “Request Cookies” is missing on the ACM request headers vs the private key SSL certs.

Any assistance is much appreciated!

Thanks,
Arnab