Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-5335

KC fails due to AuthnRequest does not contain optional destination attribute

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 3.2.1.Final
    • Fix Version/s: 3.3.0.CR1
    • Component/s: Protocol - SAML
    • Labels:
      None
    • Environment:
    • Steps to Reproduce:
      Hide

      we configured AzureAD to use our keycloak instance, like this:

      $cer="$our_cert_string"
      $uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
      $dom="test.domain.cloud"
      Set-MsolDomainAuthentication -DomainName $dom  -Authentication Federated
      -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
      -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
      

      When I know try to login on the azure portal, I get successfully
      redirected
      to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
      I get the following error from keycloak:

      2017-08-22 11:49:47,735 DEBUG
      [org.hibernate.internal.util.EntityPrinter] (default task-3)
      org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
      ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
      sessionId=null, time=1503402587482, error=invalid_authn_request,
      type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}}
      

      The SAML AuthnRequest sent by M$ looks as follows:

      2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
      (default task-3) <samlp:AuthnRequest
      ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
      IssueInstant="2017-08-22T11:47:46.793Z"
      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
      xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
      Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
      

      Show
      we configured AzureAD to use our keycloak instance, like this: $cer="$our_cert_string" $uri="https://keycloak.internal/auth/realms/azure/protocol/saml" $dom="test.domain.cloud" Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP When I know try to login on the azure portal, I get successfully redirected to https://keycloak.internal/auth/realms/azure/protocol/saml , but then I get the following error from keycloak: 2017-08-22 11:49:47,735 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-3) org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure, ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c, sessionId=null, time=1503402587482, error=invalid_authn_request, type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}} The SAML AuthnRequest sent by M$ looks as follows: 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-3) <samlp:AuthnRequest ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0" IssueInstant="2017-08-22T11:47:46.793Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
    • Docs QE Status:
      NEW
    • QE Status:
      VERIFIED

      Description

      From conversation of http://lists.jboss.org/pipermail/keycloak-user/2017-August/011595.html I was pleased to open a bug for this issue.

      The problem is the Microsoft Azure AD does not send the optional attribute "destination" [1] in the AuthnRequest, but KC is checking it as mandatory which interrupts the SSO handshake.

      [1] http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jonas.weismueller Jonas Weismueller
                Tester:
                Michal Hajas
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: