Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-2943

SAML federation link fails to work with read-only LDAP user

    XMLWordPrintable

    Details

    • Steps to Reproduce:
      Hide
      1. Login as a read-only LDAP user
      2. Logout
      3. Authenticate as the same user, but using SAML for the first time
      4. Wait for the email with federation verification link
      5. Click the link to verify the federation verify link
      Show
      Login as a read-only LDAP user Logout Authenticate as the same user, but using SAML for the first time Wait for the email with federation verification link Click the link to verify the federation verify link

      Description

      I have an existing user in Keycloak that is federated from a read-only LDAP database.

      I enabled SAML authentication as well into Keycloak from ADFS. I can get the link validation email to confirm linking the SAML user to the existing account. However, when I click on that link, I get an error:

      "Unexpected error when authenticating with identity provider"

      And this stack trace indicating that keycloak can't write to Federated storage.

      Not sure what it failed to write - if you look at the user in Keycloak, the Identity Provider Link is listed there.

      2016-04-28 15:20:05,509 ERROR [org.keycloak.services] (default task-12) identityProviderUnexpectedErrorMessage: org.keycloak.models.ModelReadOnlyException: Federated storage is not writable
      at org.keycloak.federation.ldap.ReadonlyLDAPUserModelDelegate.setEmail(ReadonlyLDAPUserModelDelegate.java:63)
      at org.keycloak.models.utils.UserModelDelegate.setEmail(UserModelDelegate.java:155)
      at org.keycloak.models.utils.UserModelDelegate.setEmail(UserModelDelegate.java:155)
      at org.keycloak.models.utils.UserModelDelegate.setEmail(UserModelDelegate.java:155)
      at org.keycloak.models.utils.UserModelDelegate.setEmail(UserModelDelegate.java:155)
      at org.keycloak.models.utils.UserModelDelegate.setEmail(UserModelDelegate.java:155)
      at org.keycloak.models.utils.UserModelDelegate.setEmail(UserModelDelegate.java:155)
      at org.keycloak.models.utils.UserModelDelegate.setEmail(UserModelDelegate.java:155)
      at org.keycloak.broker.saml.mappers.UserAttributeMapper.updateBrokeredUser(UserAttributeMapper.java:141)
      at org.keycloak.services.resources.IdentityBrokerService.updateFederatedIdentity(IdentityBrokerService.java:643)
      at org.keycloak.services.resources.IdentityBrokerService.afterFirstBrokerLogin(IdentityBrokerService.java:432)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:483)
      at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
      at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
      at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
      at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
      at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
      at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
      at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
      at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
      at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
      at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
      at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
      at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)
      at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
      at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
      at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
      at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
      at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
      at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
      at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
      at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
      at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
      at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
      at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
      at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
      at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
      at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:745)

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  bill.burke Bill Burke
                  Reporter:
                  jaxley Jason Axley
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: