Still have to login on OpenID client after sucessfull login on SAML client

kkreitmair · November 13, 2020, 3:48pm

Hey there,

I have three applications which i want to secure by the use of keykloak.

For testing purpose, i configured a standalone keycloak server with two SAML clients and one OpenID client.

The OpenID client is based on django allauth.
One of the SAML clients is based on apache_mod_auth_mellon, the other SAML client is the “zammad” ticket system, where SAML is integrated.

When i want to test sso, the following problem occurs:

When i first successfully login from SAML client, no additional login is required for the other SAML client, but i have still to login again for the OpenID client.

After researching a lot, i am stuck on finding out how to solving this problem.
So the questions are:

Are there any common pitfalls, which are jam the interoprability between these protocols, or
did i miss some realm configuration to enable this?

If anyone could help point me in the right direction that would be great!
Please let me know, when more specific information is needed.

vju42 · November 15, 2020, 8:24am

Explain a bit more how you test. I would recommend to test by accessing directly the target app which should redirect to Keycloak and return then to the app.

SAML and OIDC are working different very different.

Make sure that you are logged off everything before trying the next scenario. Probably use a private mode in the browser.

In OIDC it would be good to know if you get to Keycloak and fail on the redirect back?
You also can then look into the keycloak logs.

kkreitmair · November 16, 2020, 10:16am

I see that the topic name is somewhat ambiguous. I apologize for that.

As you suggested, I will explain the procedure to make the problem easier to understand.

For the explanation I will name the three apps with the name of the protocol they are using.

SAML1
SAML2
OIDC

My testing workflow is:

Revoke all sessions on keycloak side for all users.
As a precaution, i delete all app cookies in the browser.
Then I try to access directly the app SAML1.
SAML1 redirects me to the keycloak realm login page, where I enter the username: testuser and password.
After a successful login, keycloak redirects me back to the SAML1 app, where I now logged in as the testuser
Then, I try to access directly the app SAML2.
The SAML2 app redirects me also to keycloak, but keycloak immediately redirects me back to the SAML2 app, which I now logged in as testuser
Now, I try to access directly the app OIDC.
The OIDC app then redirects me to keycloak, where I am landing at the realm login page, where I have to enter again username: testuser and password.
After a successful login, keycloak redirects me back to the OIDC app, where I now logged in as the testuser

For my understanding, step 9 should be similar to step 7.

The same behavior also happens the other way round.
When the first app I want to login to is the OCID app, then i also have to login again on keycloak side for the first SAML app i want to login to. Then for the second SAML app, i dont have to login again.

vju42 · November 23, 2020, 12:05pm

Perfect explanation and I share your expectation.

kkreitmair · November 26, 2020, 4:05pm

Investigating the debug logs in step 9, it seems that the AUTH_SESSION_ID cookie is not “sharable” between the saml and oidc clients:

2020-11-26 10:22:27,994
	   DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-4)
	   	 PKCE non-supporting Client

2020-11-26 10:22:27,994
	   DEBUG [org.keycloak.services.util.CookieHelper] (default task-4)
	   	 Couldnt find any cookies with name AUTH_SESSION_ID, trying AUTH_SESSION_ID_LEGACY

2020-11-26 10:22:27,994
	   DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-4)
	   	 Not found AUTH_SESSION_ID cookie

2020-11-26 10:22:27,994
	   DEBUG [org.keycloak.services.util.CookieHelper] (default task-4)
	   	 Couldnt find any cookies with name AUTH_SESSION_ID, trying AUTH_SESSION_ID_LEGACY

2020-11-26 10:22:27,994
	   DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-4)
	   	 Not found AUTH_SESSION_ID cookie

2020-11-26 10:22:27,994
	   DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-4)
	   	 Set AUTH_SESSION_ID cookie with value 0b80e705-987a-401c-a8ac-8e6adc3d711e.keycloak01

After Step 10, I have the following login events for the Apps:

SAML1:

2020-11-26 09:52:23,171
   DEBUG [org.keycloak.events] (default task-4)
   	 type=LOGIN,
	 realmId=4e67ce88-a6be-4701-bce6-7c5f05f530d7,
	 clientId=https://10.2.3.36/mellon/metadata,
	 userId=fccfe34c-eb6b-42a9-9896-6f0390628b0f,
	 ipAddress=10.2.3.30,
	 auth_method=saml,
	 redirect_uri=https://10.2.3.36/mellon/postResponse,
	 consent=no_consent_required,
	 code_id=22f4ee0a-dba3-4e80-b58e-fd2728f0ac28,
	 username=testuser,
	 authSessionParentId=22f4ee0a-dba3-4e80-b58e-fd2728f0ac28,
	 authSessionTabId=-EyBY9B25hM

SAML2:

2020-11-26 10:16:44,942
   DEBUG [org.keycloak.events] (default task-4)
   	 type=LOGIN,
	 realmId=4e67ce88-a6be-4701-bce6-7c5f05f530d7,
	 clientId=https://10.2.3.104/auth/saml/metadata,
	 userId=fccfe34c-eb6b-42a9-9896-6f0390628b0f,
	 ipAddress=10.2.3.30,
	 auth_method=saml,
	 redirect_uri=https://10.2.3.104/auth/saml/callback,
	 consent=no_consent_required,
	 code_id=22f4ee0a-dba3-4e80-b58e-fd2728f0ac28,
	 username=testuser,
	 authSessionParentId=22f4ee0a-dba3-4e80-b58e-fd2728f0ac28,
	 authSessionTabId=rku6qb4b4yo

OIDC:

2020-11-26 10:22:33,491
   DEBUG [org.keycloak.events] (default task-1)
   	 type=LOGIN,
	 realmId=4e67ce88-a6be-4701-bce6-7c5f05f530d7,
	 clientId=openwisp01,
	 userId=fccfe34c-eb6b-42a9-9896-6f0390628b0f,
	 ipAddress=10.2.3.30,
	 auth_method=openid-connect,
	 auth_type=code,
	 redirect_uri=https://openwisp01.core/accounts/keycloak/login/callback/,
	 consent=no_consent_required,
	 code_id=0b80e705-987a-401c-a8ac-8e6adc3d711e,
	 username=testuser,
	 authSessionParentId=0b80e705-987a-401c-a8ac-8e6adc3d711e,
	 authSessionTabId=EF7ACfc01ks

Has anyone a idea wy the cookie is not findable?

jangaraj · November 26, 2020, 4:31pm

Debug it in the browser, you have developer tool where you can see cookies and their configs. Are you using recent Keycloak version?

kkreitmair · November 27, 2020, 10:12am

@jangaraj Thanks for the hint.
I took another look at the cookies and found that a small difference in the domain name caused the error. After I corrected it, keycloak behaved smoothly as expected.
Thanks to everyone for your efforts to help.

Topic		Replies	Views
Secure two apps with differente protocols (SAML and OpenID) Getting advice authentication	2	376	June 13, 2021
Logout from SAML Client when logout from another Open-id client Getting advice authentication , ldap , oidc , saml	1	900	May 6, 2021
External IDP initiated login to OIDC client? Is this possible? Configuring the server	3	514	October 21, 2021
No able to Single Sign Out from different protocol clients within same realm oidc , saml	0	532	April 6, 2021
SAML + OpenID Connect Getting advice authentication , oidc , saml	0	119	March 14, 2024

Still have to login on OpenID client after sucessfull login on SAML client

Related Topics