我们正在使用Active Directory和Keycloak设置SSO,并尝试配置由IdP启动的登录。 Keycloak发起的登录有效,但IdP发起的登录无效,尽管每一个的SAML响应几乎相同(唯一的区别是inResponseTo上的<SubjectConfirmationData>-这在Keycloak发起的SAML中存在)响应,但不是对IdP发起的SAML响应)。我已经尝试使用Keycloak版本4.3.0和4.4.0。可以看到IdP设置here. Keycloak错误和SAML响应复制到下面。
有人对此错误有任何想法吗?
当尝试使用IdP启动的流登录时,Keycloak返回此错误:
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-62)
Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException:
Could not process response from SAML identity provider.
确实已解析(Keycloak启动的请求)的SAML响应为:
<samlp:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://localhost:8443/auth/realms/master/broker/saml/endpoint"
ID="_e531b61c-6523-401c-b267-4a0525c80542" InResponseTo="ID_5d20a349-5af1-4bc8-973d-c7186d0685cc"
IssueInstant="2018-09-26T18:15:25.260Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://greenhouse.westus2.cloudapp.azure.com/adfs/services/trust</Issuer>
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<Assertion ID="_0afd4f01-b9a0-4819-865c-e96319da773b" IssueInstant="2018-09-26T18:15:25.260Z"
Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://greenhouse.westus2.cloudapp.azure.com/adfs/services/trust</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_0afd4f01-b9a0-4819-865c-e96319da773b">
<Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>RGUuFFUrcb3z+ncO3nUsg79tnTjPeB4O/87lPVdw1Dw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>qP+/5mL5Tln8NKu/Rvz0fWjzMQ1W74UtpULH2OCF88hQtJCO0fGEYlI0kaSk7RSCdbDKx8aWvxkIS0Mi+0vMNGtgs5vWvKzzelm6GTbv7PfOByNd6hsyxBttiaowAsF2JreFJYWBXLr1XQTegA5tCmpmBgKlEVLKGyReF/UJj2/afzPmCkt8ACXq7Dx+Af70sHHHm8WNWJ45P0SHy5Yg/CnyhxC3rNh2MgCe3h9JEJNjNCbrchT9jx97Po80f6KABAaejYtTiUdTtzh7ufFDZ78wami5Z5kpE93X3zKj+CCM2wAWqCu0lQLYeP2KGS1ndK4roFU8iEd4rjuQszXXSQ==</SignatureValue>
<KeyInfo>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate>MIIDBjCCAe6gAwIBAgIQaERD4XNSb6FBU03xlUaYqzANBgkqhkiG9w0BAQsFADA/MT0wOwYDVQQDEzRBREZTIFNpZ25pbmcgLSBncmVlbmhvdXNlLndlc3R1czIuY2xvdWRhcHAuYXp1cmUuY29tMB4XDTE4MDkxNTE2NDc0M1oXDTE5MDkxNTE2NDc0M1owPzE9MDsGA1UEAxM0QURGUyBTaWduaW5nIC0gZ3JlZW5ob3VzZS53ZXN0dXMyLmNsb3VkYXBwLmF6dXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAND/YMN2tASHJkCTQKfPW695H0Z0THDVTs6AL2y7NvxBgvwOQv5J9jr+QgQsNAr4QE0+jGZ7Z8TTySzySNn22LEGwOXiz4eW5clwtumHfghj1eN4rQDh+1AKxz0VYP4YXdjFemPrnfctlfEusn+/t2QzjrYzzMbC65AWAzPcCEe/udUZJ97ryzjnGx86SC9RR93d6C+HspRD2Sf+967FMG745czKI6paqQLzKe4iueRe+NEhFqLJgjfSQTwGRX8/dxL4KwNGtT0TxNQKiL6HhisyhwtLt3vDYTLBt4cmaalPJKJTFxwBBimb8L9og4IBMiDM5BHpOnQd68OlZLMCMi8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAqxWIayXbZh1TKQgzGK7fIegHV+hjdHenUdXwzesWv3Wg6tUG/AdVTBn7uPNWV/ne7nCOBN//zwsP/iDD2/FhNDBbHHZz2bU70RDoLPB1TpZ0UkQ6WXILQp57kn4sTCpih5mJ8EwTU17cmcWJps2hpATHbgrHzjOWRqPqgqsXi7/yCYyv4MYQn3efY+HfIgAGc7Ez84ai7OEB2RmRNG93EoUAAR0OZfF+vPelAsdb2lkcb7bji5YKP1lK1mdfI4byFoWyFsnTR0x67EpKu8bOAlIhCaI6tRLT5xi5hMwgEjAplpEF0F2x/KBLPHl829/Y3U6Ze8dUik22imQFwwsEA==</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">adminuser@example.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="ID_5d20a349-5af1-4bc8-973d-c7186d0685cc"
NotOnOrAfter="2018-09-26T18:20:25.260Z"
Recipient="https://localhost:8443/auth/realms/master/broker/saml/endpoint"/></SubjectConfirmation>
</Subject>
<Conditions NotBefore="2018-09-26T18:15:25.260Z" NotOnOrAfter="2018-09-26T19:15:25.260Z">
<AudienceRestriction>
<Audience>https://localhost:8443/auth/realms/master</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>adminuser@example.com</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2018-09-26T18:08:16.444Z"
SessionIndex="_0afd4f01-b9a0-4819-865c-e96319da773b">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
未解析(已启动IdP)的SAML响应为:
<samlp:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://localhost:8443/auth/realms/master/broker/saml/endpoint"
ID="_89868c3e-98a9-426a-8c49-53b128730584" IssueInstant="2018-09-25T21:22:34.653Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://greenhouse.westus2.cloudapp.azure.com/adfs/services/trust</Issuer>
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<Assertion ID="_6968f4ad-d97e-4f46-af2f-cbae662702f8" IssueInstant="2018-09-25T21:22:34.653Z"
Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://greenhouse.westus2.cloudapp.azure.com/adfs/services/trust</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_6968f4ad-d97e-4f46-af2f-cbae662702f8">
<Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>FyYk5PDcetumqiefCgrNErVTBi52tGJ8kPGMTCByvUA=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>wC9OsDUzNQthY2pLD3hJNgwBceSBvKDcR6AiL2IsQ0A4iGY5tSF0p/YVWyDbe9rLIDcLctn8MQI9FuNCCqMU1QamTtvV1nV9SoPTmMdeC2NgeWnW9HAdg8Sv5tn5bD42E6NAG73RE2fUgWI57rm/+tlt8P3ROdLqXmEaVq5b0wfbqan+QroDxrjn/8oQdUx08mf1P24p37fFtlKWBDW3Oh/gN/0p9MYJIMJ0VjM9jWmoZ0GLz+Zf7NykEB8GzXQfiSWDCiTQfA287TilqpdK1Ni40tUBr1ZEDdqlR1o1gdu4P9rkSJqg1KnB4wwHq1F+cDZ9xVSPBhIBG43jO11D3A==</SignatureValue>
<KeyInfo>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate>MIIDBjCCAe6gAwIBAgIQaERD4XNSb6FBU03xlUaYqzANBgkqhkiG9w0BAQsFADA/MT0wOwYDVQQDEzRBREZTIFNpZ25pbmcgLSBncmVlbmhvdXNlLndlc3R1czIuY2xvdWRhcHAuYXp1cmUuY29tMB4XDTE4MDkxNTE2NDc0M1oXDTE5MDkxNTE2NDc0M1owPzE9MDsGA1UEAxM0QURGUyBTaWduaW5nIC0gZ3JlZW5ob3VzZS53ZXN0dXMyLmNsb3VkYXBwLmF6dXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAND/YMN2tASHJkCTQKfPW695H0Z0THDVTs6AL2y7NvxBgvwOQv5J9jr+QgQsNAr4QE0+jGZ7Z8TTySzySNn22LEGwOXiz4eW5clwtumHfghj1eN4rQDh+1AKxz0VYP4YXdjFemPrnfctlfEusn+/t2QzjrYzzMbC65AWAzPcCEe/udUZJ97ryzjnGx86SC9RR93d6C+HspRD2Sf+967FMG745czKI6paqQLzKe4iueRe+NEhFqLJgjfSQTwGRX8/dxL4KwNGtT0TxNQKiL6HhisyhwtLt3vDYTLBt4cmaalPJKJTFxwBBimb8L9og4IBMiDM5BHpOnQd68OlZLMCMi8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAqxWIayXbZh1TKQgzGK7fIegHV+hjdHenUdXwzesWv3Wg6tUG/AdVTBn7uPNWV/ne7nCOBN//zwsP/iDD2/FhNDBbHHZz2bU70RDoLPB1TpZ0UkQ6WXILQp57kn4sTCpih5mJ8EwTU17cmcWJps2hpATHbgrHzjOWRqPqgqsXi7/yCYyv4MYQn3efY+HfIgAGc7Ez84ai7OEB2RmRNG93EoUAAR0OZfF+vPelAsdb2lkcb7bji5YKP1lK1mdfI4byFoWyFsnTR0x67EpKu8bOAlIhCaI6tRLT5xi5hMwgEjAplpEF0F2x/KBLPHl829/Y3U6Ze8dUik22imQFwwsEA==</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">adminuser@example.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData NotOnOrAfter="2018-09-25T21:27:34.653Z"
Recipient="https://localhost:8443/auth/realms/master/broker/saml/endpoint"/></SubjectConfirmation>
</Subject>
<Conditions NotBefore="2018-09-25T21:22:34.653Z" NotOnOrAfter="2018-09-25T22:22:34.653Z">
<AudienceRestriction>
<Audience>https://localhost:8443/auth/realms/master</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>adminuser@example.com</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2018-09-25T20:20:26.139Z"
SessionIndex="_6968f4ad-d97e-4f46-af2f-cbae662702f8">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>