Keycloak IdP SAML 2 Export of XML metdata to an SP - saml-2.0

I'm using Keycloak version 1.6.1, newly installed as a standalone application.
Keycloak should act as an IdP (Identity provider) for an SP (Service Provider) called Tableau.
I have read from this page: http://blog.keycloak.org/2015/03/picketlink-and-keycloak-projects-are.html
... Keycloak from being Identity Broker grew into being fully fledged
Identity Provider
While it was an Identity Broker, it is now also an Identity Provider.
My question is then:
I have exported the SP XML Metadata from Tableau, which I imported into Keycloak, but when it comes to the export of the IdP XML Metadata from Keycloak (which should be imported into Tableau) I cannot find the button/command/guide anything about how to export this XML file.
I have worked with other IdPs and they all support this export of IdP Metadata which you can see an example of here: https://docs.oracle.com/cd/E19636-01/819-7664/g2enua/index.html
If I search for Keycloak and the keyword IDPSSODescriptor I find this:
grepcode.com/file/repo1.maven.org/maven2/org.keycloak/keycloak-saml-protocol/1.1.0.Beta2/idp-metadata-template.xml
Which is exactly the 'template' I need, with the correct links on all ${idp.sso.HTTP-POST} etc. places.
Should I create the file manually - if so how do I find the correct POST, REDIRECT etc. URLs?
Or is there some way of exporting this file I haven't seen?

Sometimes it's a good thing to specify in writing what you need - which I did here on Stack Overflow.
I found the URL to where on Keycloak one can export the IdP XML
https://keycloak-url/realms/{REALM-NAME}/protocol/saml/descriptor
That gave me the IDPSSODescriptor.
I'll leave this thread here, so people can benefit from my mistakes.

Since Keycloak 3.x, IdP XML descriptor needs /auth/ after keycloak-url
https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}/protocol/saml/descriptor

The original poster is correct that the option SAML Metadata IDPSSODescriptor is no longer available on Keycloak 6.0.1
One change to make is when you use the URL https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}/protocol/saml/descriptor, Rancher expects the root element to be EntityDescriptor so you need to remove EntitiesDescriptor and copy the namespaces from the root element.
i.e.
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" entityID="https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}">
....
</EntityDescriptor>

In your realm click on 'Realm Settings' in the menu on the left. Under tab 'General' at 'endpoints' click on 'SAML 2.0 Identity Provider Metadata'. The IdP metadata will appear in a new browser tab.

Related

Aurelia.js Single Page Application Keycloak Authentication Example

I need an example or pointers for using Keycloak.js authentication in an Aurelia.js-based single page web application. In my use case, a user should be able to access my web SPA before login. However, to gain access to additional resources, user will need to log in. No problem with with the backend apps. 'Just need web-client help.
I have basic HTML5 and Angular.js examples. It seems the example provided by bandrzejczak comes the closest.
'Have already searched throughout the web, read the Keycloak, Aurelia, Aurelia-Auth, Aurelia-Authorization docs. I have spent way too much time on this and am hoping someone has already solved this problem. -- Thanks
See Aurelia-Keycloak.
Aurelia-Keycloak
Alpha version. An authentication plugin based on KeyCloak for Aurelia applications.
Get Started
Install Aurelia-Keycloak:
jspm install aurelia-keycloak
Add keycloak configuration and initialization settings:
Follow Keycloak directions for creating a keycloak.json configuration file. Put this file in the same directory as your application's index.html file. Refer to the keycloak javascript adapter documentation for its initialization options and API.
Add plugin to your app's main.js. This example assumes your keycloak.json is in your root directory. This code will immediately cause the login screen to appear.
.plugin('aurelia-keycloak', {initOptions:{ onLoad: 'login-required' }})
To defer login, use the following:
.plugin('aurelia-keycloak')
Then, construct a login button within your code to call the keycloak login function.
Rather than use a keycloak.json file, you can insert the installation config with the plugin declaration
`.plugin('aurelia-keycloak',{install:{PASTE GENERATED KEYCLOAK.JSON HERE}},initOptions:{ onLoad: 'login-required' }}
See the GITHUB for details.

ADFS 2.0 Not handling 'Extension' tag in SAML AuthnRequest - Throwing Exception MSIS7015

We currently have ADFS 2.0 with hotfix 2 rollup installed and working properly as an identity provider for several external relying parties using SAML authentication. This week we attempted to add a new relying party, however, when a client presents the authentication request from the new party, ADFS simply returns an error page with a reference number and does not prompt the client for credentials.
I checked the server ADFS 2.0 event log for the reference number, but it is not present (searching the correlation id column). I enabled the ADFS trace log, re-executed the authentication attempt and this message was presented:
Failed to process the Web request because the request is not valid. Cannot get protocol message from HTTP query. The following errors occurred when trying to parse incoming HTTP request:
Microsoft.IdentityServer.Protocols.Saml.HttpSamlMessageException: MSIS7015: This request does not contain the expected protocol message or incorrect protocol parameters were found according to the HTTP SAML protocol bindings.
at Microsoft.IdentityServer.Web.HttpSamlMessageFactory.CreateMessage(HttpContext httpContext)
at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context)
As the message indicates that the request is not well formed, I went ahead and ran the request through xmlsectool and validated it against the SAML protocol XSD (http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd) and it came back clean:
C:\Users\ebennett\Desktop\xmlsectool-1.2.0>xmlsectool.bat --validateSchema --inFile metaauth_kld_request.xml --schemaDirectory . --verbose
INFO XmlSecTool - Reading XML document from file 'metaauth_kld_request.xml'
DEBUG XmlSecTool - Building DOM parser
DEBUG XmlSecTool - Parsing XML input stream
INFO XmlSecTool - XML document parsed and is well-formed.
DEBUG XmlSecTool - Building W3 XML Schema from file/directory 'C:\Users\ebennett\Desktop\xmlsectool-1.2.0\.'
DEBUG XmlSecTool - Schema validating XML document
INFO XmlSecTool - XML document is schema valid
So, I'm thinking that ADFS isn't playing full compliance with the SAML specification. To verify, I manually examined the submitted AuthnRequest, and discovered that our vendor is making use of the 'Extensions' element to embed their custom properties (which is valid, according to the SAML specification) (note: "ns33" below correctly namspaces "urn:oasis:names:tc:SAML:2.0:protocol" elsewhere in the request)
<ns33:Extensions>
<vendor_ns:fedId xmlns:vendor_ns="urn:vendor.name.here" name="fedId" value="http://idmfederation.vendorname.org"/>
</ns33:Extensions>
If I remove the previous element from the AuthnRequest and resubmit it to ADFS, everything goes swimmingly. And, in fact, I can leave the 'Extensions' container and simply edit out the vendor namespaced element, and ADFS succeeds.
Now, I guess I have 3 questions:
Why was the reference number not logged to the ADFS log? That really would have helped my early debugging efforts
Is it a known issue that ADFS's SAML handler cannot handle custom elements defined within the Extensions element, and if so, is there a way to add support (or at least not crash while handling it)? My vendor has offered to change the SAML AuthnRequest generated to omit that tag, but said that it 'may take some time'-- and we all know what that means...
Does anyone think that installing ADFS hotfix rollup 3 will address this situation? I didn't see anything in the doc to indicate the affirmative.
Thanks for your feedback.
When facing a MSIS7015 ADFS error, the best place to start would be enabling ADFS Tracing. Login to the ADFS server as admin and run the following command. If you have a very busy ADFS server, might be wise to do it when the server is not as busy.
C:\Windows\System32\> wevtutil sl “AD FS Tracing/Debug” /L:5
C:\Windows\System32\> eventvwr.msc
In Event Viewer select “Application and Services Logs”, right-click and select “View – Show Analytics and Debug Logs”
Go to AD FS Tracing – Debug, right-click and select “Enable Log” to start Trace Debugging.
Process your ADFS login / logout steps and when finished, go to the event viewer mmc find the sub tree AD FS Tracing – Debug, right-click and select “Disable Log” to stop Trace Debugging.
Look for EventID 49 - incoming AuthRequest - and verify values are not being sent with CAPs value. For example, in my case, it was I was receiving the following values: IsPassive='False', ForceAuthn='False'
In my case, to address the issue, all I needed to do was create incoming claim transformer rule - for the distinct endpoints.
Once the CAPs were transformed to lower case true and false, authentication started working.

I am using Http Form Adapter in Ping Federate. How to get user attributes from SAML Response?

Http Form adapter serves as an authentication service in my application. I have not implemented any application on the Identity Provider to get user inputs.
Therefore, on successful authentication, SP verifies the user's signature and redirects to the application. At my target Resource, I receive an open token. Is it still possible to utilize the open Token Jar to read the user attributes from OTK?
**Note: ** In Service Provider, I use open token Adapter.
Also, please let me know if there is any other possible way of getting the user attributes other than using the open token adapter/http form adapter.
Thanks.
There are numerous SP Adapters you can choose to use for your last mile integration with your application. The OpenToken Adapter is just one of them. If your application is in Java and you are using the SP OpenToken Adapter, then you would most likely use the Java OpenToken Agent implementation within your application to read the OTK (documented in the Java Integration Kit). If you look at the Add Ons list, there are actually 3 flavors of OTK Agents (.NET, Java and PHP from PingID. Ruby on Rails and Perl are available via respective Open Source repositories).
However, you are not limited to OpenToken Adapters. The Agentless Integration Kit is also very popular for SP/last-mile integration with PingFederate.
Unfortunately, the question is just too open ended for the Stackoverflow format. I would suggest talking to your Ping Identity Solution Architect who can help steer you in the right direction and ask the necessary follow-up questions on your use case.
If understand the question correctly, you desire attributes to be fulfilled that the web application can read and utilize. This starts with the SP Connection configuration. I am going to assume you are using Active Directory and already configured that data source along with the Password Credential Validator (PCV) for the HTML Form IdP Adapter. In the SP Connection you will need to extend the attribute contract to define the values to put into the SAML assertion and then use the Active Directory data source to fulfill the attributes. When the SAML assertion is received by the PingFederate SP role server, the SP Adapter maps the attribute values from the SAML assertion into the OpenToken. When your application receives the OpenToken, it can read the values.

Do we need Keystore/JKSKeyManager in IDP initiated SSO (SAML)?

I've successfully implemented SSO authentication using Spring-SAML extension. Primary requirement for us to support IDP-initiated SSO to our application. Well, by using the configurations from spring-security-saml2-sample even SP-initiated SSO flow also works for us.
Question: Is keystore is used in IDP-initiated SSO (if metadata has certificate)? If not used, I would like to get rid of keystore configurations from securityContext.xml.
Note: SP-initiated SSO and Global logout is not needed for us. We use Okta as IDP.
This is a good feature request. I've opened https://jira.spring.io/browse/SES-160 for you and support is available in Spring SAML's trunk with the following documentation:
In case your application doesn't need to create digital signatures
and/or decrypt incoming messages, it is possible to use an empty
implementation of the keystore which doesn't require any JKS file
- org.springframework.security.saml.key.EmptyKeyManager. This can be the
case for example when using only IDP-Initialized single sign-on.
Please note that when using the EmptyKeyManager some of Spring SAML
features will be unavailable. This includes at least SP-initialized
Single Sign-on, Single Logout, usage of additional keys in
ExtendedMetadata and verification of metadata signatures. Use the
following bean in order to initialize the EmptyKeyManager:
<bean id="keyManager" class="org.springframework.security.saml.key.EmptyKeyManager"/>

Configure Shibboleth native Service Provider and Apache

I have a simple web application. I want to set Shibboleth native SP in front of my web app so that it issues/asserts SAML related things and forwards request to my web app. Is there a complete tutorial how to achieve that?
Use testshib to test your app, it gives too much ease.
Follow the steps
download and instal sp on your machine
include shibboleth's configuration into your apache
2.1. into httpd.conf file add include "PATH/opt/path/etc/apache22"(if version is apache2.2, otherwise appropriate)
in apache22.config file add the location you want to secure - it would be /secure bydefault
in your shibboleth2.xml file (in etc folder) put your entity id(application defaults element), ex https://mywebsite.com/shibboleth - this can be anything, not neccessary a real path
put entity id of your idp in sso element, in case of testshib it would be https://idp.testshib.org/idp/shibboleth
in the metadata provider put idp's metadata uri to your idp's metadata urn, incase testshib it would be http://www.testshib.org/metadata/testshib-providers.xml
Download your metadata from https://mywebsitehost.com/Shibboleth.sso/Metadata - here mywebsitehost would be a real host and rest path will be automatically configured by shibboleth - this path will download your sp's metadata file
Upload your metadata file to testshib via register
You are ready to go. Go to https://mywebsitehost.com/secure and you should be redirected to idp to authenticate.
NOTE: Make sure you have a domain name configured with ssl(https)

Resources