SSL errors trying to use Keycloak as a SAML IdP

I’ve been working in SAML for many years, but this is my first go-round with Keycloak, so if I show any ignorance, specific to the Keycloak solution / deployments, my apologies.

Trying to setup an IDP on Keycloak and I think the base IDP config is correct. I have valid, public (not self-signed or anything) SSL certs on both the IDP server and the SP (simplesaml.php -based).

I’ve imported the SP metadata from file, and when trying to test SP-initiated auth from the simplesaml.php interface, it properly sends the browser over to Keycloak, but then Keycloak throws up an error:

“We are sorry…
An internal server error has occurred”

On the server log side, we’re seeing this:

So it appears to be an SSL validation issue, somewhere, but I’m at a loss as to where it’s at, and would appreciate any help you might provide.

What is the Keycloak URL of that error?

With my company-specific data removed with placeholders, below:

https://my Keycloak host:8443/auth/realms/my Realm name/protocol/saml?SAMLRequest=my request data&RelayState=https://my simplesaml host/saml/module.php/core/authenticate.php?as=My-Test

Anyone have any ideas?

I tried backreving to an older release. Same issue.

I’ve tried using truststore.jks, checked all of my SSL certificates to ensure everything is properly resolving and using them, tried disabling the realm requirement for ‘Require SSL’ to every possible setting, and nothing is resolving this.

I’m certain it’s likely something I’m doing, but would really appreciate it if anyone has a solid idea as to root cause / resolution.

Thanks.

Which version of keycloak are you using? Did you check that the ssl root cert is in the truststore used by keycloak?

Hi Thomas.

8.0.1 is my running version

Which root cert and which keystore are you referring to? (Short answer,
I believe I had done this, yes, but want to confirm I’m putting the
right chain and root cert into the right keystore. Perhaps I’m not, and
I’ve overcomplicated this in my head)

My SP’s web certificate chain is entirely in my truststore (just validated). My LDAPS works fine with the certs that were imported there, but still having the issue with the SP and the checkSsl error. Any other ideas?

SAML may use also other certificates, e.g. for singing, encryption. It is not clear how did you configure used SAML client and how SAML request looks like (is it encrypted? is it signed?, …) If you can’t publish SAML request, then it is up to you - you have the backtrace and the source code, so you can track what is failing.

I got it working this evening. I noticed that when watching SAML traces of the activity, it was redirecting to the wrong URL. I updated the Frontend URL config on the IDP for the Realm and the flow is working properly in my lab now.

Have a great evening. Regards