Keycloak 2.5.1/ SAML integration


#1

Hey everyone,

I’ve recently integrated ManageIQ with Keycloak 2.5.1 per the docs: http://manageiq.org/docs/reference/latest/auth/saml. I know it’s only been tested with 1.8, but thought I’d give it a shot.

Almost everything works fine - login, assigning groups, etc

The only issue seems to be with logout. When I logout, the webpage redirects to “https://miq-appliance/saml2”, and hits a 404:

“The requested URL /saml2 was not found on this server”

I’ve verified that I only have the one “SingleLogoutService” definition in /etc/httpd/saml2/idp-metadata.xml:

<SingleLogoutService
        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        Location= ... />

If I tail /var/www/miq/vmdb/log/apache/ssl_access.log, it seems to be an issue with the post:

<ip-address> - - <date-time> "GET /saml2/logout?ReturnTo=/ HTTP/1.1" 303
<ip-address> - - <date-time> "POST /saml2 HTTP/1.1" 404

I don’t understand why the application is performing a post though…

If I access https://miq-appliance/saml2/logout?ReturnTo=/ directly, the appliance performs the redirect correctly without the 404, and I see the following in /var/www/miq/vmdb/log/apache/ssl_access.log:

<ip-address> - - <date-time> "GET /saml2/logout?ReturnTo=/ HTTP/1.1" 303 
<ip-address> - - <date-time> "GET /saml2/logout?SAMLResponse=... HTTP/1.1" 303
<ip-address> - - <date-time> "GET / HTTP/1.1" 303
<ip-address> - - <date-time> "GET /saml2/login HTTP/1.1" 303

Any ideas?


#2

I recently verified with 2.5.4.Final. You can keep both POST and Redirect in the idp-metadata.xml file.

In the Clients setting for that appliance’s realm on keycloak, I have:

  • Valid Redirect URI’s (…/saml2/postResponse)
  • Master SAM Processing (…/saml2)

and under Fine Grain SAML Endpoint Configuration:

  • Assertion Consumer Service POST Binding URL (…/saml2/postResponse)
  • Assertion Consumer Service Redirect Binding URL (…/saml2/postResponse),
  • Logout Service POST unspecified
  • Logout Service Redirect Binding URL (…/saml2/logout).

#3

Thanks @abellotti,

I’ve tried leaving the POST and Redirect in the idp-metadata.xml, though I get the same issue on 2.5.1.

From /var/www/miq/vmdb/log/apache/ssl_access.log

"GET /saml2/logout?ReturnTo=/ HTTP/1.1" 303
"POST /saml2 HTTP/1.1" 404

I’m running multiple domain-clustered Keycloak appliances, balanced across two ManageIQ UI-dedicated appliances with a ‘source’ strategy via haproxy. So, I think this is more to do with my configuration than anything else.

For now, I’m working around this with a redirect in /etc/httpd/conf.d/manageiq-redirects-ui

+ RewriteRule ^/saml2$ /saml_login [R]

This doesn’t seem to break anything else, though the log is a bit convoluted now:

"GET /saml2/logout?ReturnTo=/ HTTP/1.1" 303
"POST /saml2 HTTP/1.1" 302
"GET /saml_login HTTP/1.1" 303
"GET /saml2/login?ReturnTo=https%3A..." 303

#4

Hi,
I’m having issues with integration of SAML keycloak v3.4.3.

Following the docs, when obtaining the idp-metadata.xml i can’t find the username id format in section :
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Do i need to add it manually ?

Next, when trying to authenticate, appliance redirects to IDP (i see cookies from keycloak) and when i enter the credentials (POST sent from keycloak), i get an empty response (get saml_login).
I have to create the group and roles first in appliance but in cannot lookup the group at the creation time.

==> /var/log/manageiq/apache/ssl_access.log <==
192.168.43.142 - - [07/Mar/2018:12:43:34 +0100] “POST /saml2/postResponse HTTP/1.1” 303 250

==> /var/log/manageiq/apache/ssl_request.log <==
[07/Mar/2018:12:43:34 +0100] 192.168.43.142 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 “POST /saml2/postResponse HTTP/1.1” 250

==> /var/log/manageiq/apache/miq_apache.log <==
[Wed Mar 07 12:43:34.808871 2018] [core:notice] [pid 8423] AH00052: child pid 18513 exit signal Segmentation fault (11)
[Wed Mar 07 12:43:34.809113 2018] [core:notice] [pid 8423] AH00052: child pid 18535 exit signal Segmentation fault (11)


#5

With last stable version all is working fine !


#6

Hi,

@abellotti
I am using 2.5.4.Final in a docker container at the same appliance of manageiq i have configured all the things which are mentioned in integration doc at manageiq website, initially httpd was not working when i restarted, after troubleshooting i disable the selinux now keyclaok is working good integration is done, When i login from the page Login to Corporate System, after giving the user and password i found this page instead of login.


#7

Hello @Asad_Rajput. I’ll try to help you out with this. I’ll need some information.

Can you please share with me the link you used to configure SAML?
You say you are running in docker. Are you running an MiQ appliance image or pod-ified MiQ?
If pod-ified did you use the ConfigMap Generator to create a config map?
If you did can you share the config map.
If not on a pod-ified MiQ but running an appliance can you share with me your /etc/httpd/conf.d/manageiq-external-auth-saml.conf

Thank you. JoeV