Setup another Keycloak client as SAML identity provider gives "invalid signature"

Securing applications
1

Hello,

I’m trying to configure a SAML entity provider within keycloak but I stumble on an error that doesn’t make much sense to me

The setup is the following: I have a Keycloak (let’s call it KC1) in front of my app to handle AuthN. In this KC1 I’ve setup a SAML identity provider which happens to also be a keycloak on another server (let’s call it KC2).

So when I try to access my app, it redirects me to the KC login screen. I can then choose to connect using my SAML client, but it gives me a “Invalid Requester” and the following warning in the logs:

2022-10-03 12:37:50,065 ERROR [org.keycloak.protocol.saml.SamlService] (default task-5) request validation failed: org.keycloak.common.VerificationException: Invalid signature on document
at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:99)
at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:84)
...
...
2022-10-03 12:37:50,081 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=KC2-realm, clientId=null, userId=null, ipAddress=10.116.250.11, error=invalid_signature

Configuration on KC1 is:
Service provider entity ID: KC2-client-id
Identity provider ID: http://x.x.x.x/realm/KC2-realm
NameID policy format: persistent
Principal type: Subject NameID
Allow Create: on
HTTP post binding (all of them): ON
Want AuthnResponse signed: ON
Signature algorithm: RSA_SHA256
SAML signature key name: KEY_ID
Want assertion signed / encrypted: OFF
Force auth: OFF
Validate signatures: ON
X509 certificates:

Configuration on KC2 is:
Client ID: KC2-client-id
NameID policy format: persistent
force name ID format: OFF
force POST binding: ON
force artifact binding: OFF
Include AuthnStatement: ON
Include oneTimeUse condition: OFF
Sign documents: ON
Sign assertions: OFF

I’m not sure to understand what’s wrong/missing. I’ve seen on the internet that sometimes this is due to a mismatch in configs, but to me everything seems to be mirrored correctly between the 2 instances.

Obviously something is wrong with the certificates, but there’s so many “Keys” that can be setup (Client keys, signing keys, encryption keys, Realm keys, Realm certificates, IDP certificates, …) that I’m completely lost as to what I’m supposed to do with this.

TL;DR: how do I setup a secure connection between 2 keycloak, using SAML?

Any help would be appreciated!

Thanks,

Filou

2

Hello, have you managedd to resolve this issue? I am facing the same.