Investigating the debug logs in step 9, it seems that the AUTH_SESSION_ID cookie is not “sharable” between the saml and oidc clients:
2020-11-26 10:22:27,994
DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-4)
PKCE non-supporting Client
2020-11-26 10:22:27,994
DEBUG [org.keycloak.services.util.CookieHelper] (default task-4)
Couldnt find any cookies with name AUTH_SESSION_ID, trying AUTH_SESSION_ID_LEGACY
2020-11-26 10:22:27,994
DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-4)
Not found AUTH_SESSION_ID cookie
2020-11-26 10:22:27,994
DEBUG [org.keycloak.services.util.CookieHelper] (default task-4)
Couldnt find any cookies with name AUTH_SESSION_ID, trying AUTH_SESSION_ID_LEGACY
2020-11-26 10:22:27,994
DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-4)
Not found AUTH_SESSION_ID cookie
2020-11-26 10:22:27,994
DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-4)
Set AUTH_SESSION_ID cookie with value 0b80e705-987a-401c-a8ac-8e6adc3d711e.keycloak01
After Step 10, I have the following login events for the Apps:
SAML1:
2020-11-26 09:52:23,171
DEBUG [org.keycloak.events] (default task-4)
type=LOGIN,
realmId=4e67ce88-a6be-4701-bce6-7c5f05f530d7,
clientId=https://10.2.3.36/mellon/metadata,
userId=fccfe34c-eb6b-42a9-9896-6f0390628b0f,
ipAddress=10.2.3.30,
auth_method=saml,
redirect_uri=https://10.2.3.36/mellon/postResponse,
consent=no_consent_required,
code_id=22f4ee0a-dba3-4e80-b58e-fd2728f0ac28,
username=testuser,
authSessionParentId=22f4ee0a-dba3-4e80-b58e-fd2728f0ac28,
authSessionTabId=-EyBY9B25hM
SAML2:
2020-11-26 10:16:44,942
DEBUG [org.keycloak.events] (default task-4)
type=LOGIN,
realmId=4e67ce88-a6be-4701-bce6-7c5f05f530d7,
clientId=https://10.2.3.104/auth/saml/metadata,
userId=fccfe34c-eb6b-42a9-9896-6f0390628b0f,
ipAddress=10.2.3.30,
auth_method=saml,
redirect_uri=https://10.2.3.104/auth/saml/callback,
consent=no_consent_required,
code_id=22f4ee0a-dba3-4e80-b58e-fd2728f0ac28,
username=testuser,
authSessionParentId=22f4ee0a-dba3-4e80-b58e-fd2728f0ac28,
authSessionTabId=rku6qb4b4yo
OIDC:
2020-11-26 10:22:33,491
DEBUG [org.keycloak.events] (default task-1)
type=LOGIN,
realmId=4e67ce88-a6be-4701-bce6-7c5f05f530d7,
clientId=openwisp01,
userId=fccfe34c-eb6b-42a9-9896-6f0390628b0f,
ipAddress=10.2.3.30,
auth_method=openid-connect,
auth_type=code,
redirect_uri=https://openwisp01.core/accounts/keycloak/login/callback/,
consent=no_consent_required,
code_id=0b80e705-987a-401c-a8ac-8e6adc3d711e,
username=testuser,
authSessionParentId=0b80e705-987a-401c-a8ac-8e6adc3d711e,
authSessionTabId=EF7ACfc01ks
Has anyone a idea wy the cookie is not findable?