Hello Folks!
Hope everyone is doing well ! Need your assistance on an issue described below:
Integrating Google SSO + Keycloak Auth to our product using ACM issued SSL public certificate.
When we usually deploy the product via non ACM issued certificates. We have access to the private key of the certificate bundle, which we upload within our product that let’s SSL pass through as expected.
(Note: Tried using a different SSO provider as well, the error remains the same)
Flow: ACM (or self-signed or private certificates) → NLB → nginx-ingress + keycloak (helm charts) on EKS
But with ACM I do understand there is no private key access. And, we have tried SSL termination on our NLB and route traffic to our cluster via TLS policy and attached the ACM certificate.
We also tried the following:
- Invalid SAML Response (Invalid Destination) (forward all traffic from nginx ingress)
- Add the following to keycloak:
PROXY_ADDRESS_FORWARDING = true
and
KEYCLOAK_FRONTEND_URL = enter your front end URL path starting with https
- Toggle between SSL for “all”, “external”, “none” traffic and clear cache on Keycloak
But none of which have been successful.
We continue to get a Bad Request (400) / invalidFederatedIdentityActionMessage
Some differences between ACM issued vs Private Key uploaded certs SAML Request Headers:
There are missing keynames in the Request Header e.g. :method, authority, scheme missing on the left> Also, case of the keynames different between the two
Also, the entire section called “Request Cookies” is missing on the ACM request headers vs the private key SSL certs.
Any assistance is much appreciated!
Thanks,
Arnab