Keycloak 2.5.1/ SAML integration


#1

Hey everyone,

I’ve recently integrated ManageIQ with Keycloak 2.5.1 per the docs: http://manageiq.org/docs/reference/latest/auth/saml. I know it’s only been tested with 1.8, but thought I’d give it a shot.

Almost everything works fine - login, assigning groups, etc

The only issue seems to be with logout. When I logout, the webpage redirects to “https://miq-appliance/saml2”, and hits a 404:

“The requested URL /saml2 was not found on this server”

I’ve verified that I only have the one “SingleLogoutService” definition in /etc/httpd/saml2/idp-metadata.xml:

<SingleLogoutService
        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        Location= ... />

If I tail /var/www/miq/vmdb/log/apache/ssl_access.log, it seems to be an issue with the post:

<ip-address> - - <date-time> "GET /saml2/logout?ReturnTo=/ HTTP/1.1" 303
<ip-address> - - <date-time> "POST /saml2 HTTP/1.1" 404

I don’t understand why the application is performing a post though…

If I access https://miq-appliance/saml2/logout?ReturnTo=/ directly, the appliance performs the redirect correctly without the 404, and I see the following in /var/www/miq/vmdb/log/apache/ssl_access.log:

<ip-address> - - <date-time> "GET /saml2/logout?ReturnTo=/ HTTP/1.1" 303 
<ip-address> - - <date-time> "GET /saml2/logout?SAMLResponse=... HTTP/1.1" 303
<ip-address> - - <date-time> "GET / HTTP/1.1" 303
<ip-address> - - <date-time> "GET /saml2/login HTTP/1.1" 303

Any ideas?


#2

I recently verified with 2.5.4.Final. You can keep both POST and Redirect in the idp-metadata.xml file.

In the Clients setting for that appliance’s realm on keycloak, I have:

  • Valid Redirect URI’s (…/saml2/postResponse)
  • Master SAM Processing (…/saml2)

and under Fine Grain SAML Endpoint Configuration:

  • Assertion Consumer Service POST Binding URL (…/saml2/postResponse)
  • Assertion Consumer Service Redirect Binding URL (…/saml2/postResponse),
  • Logout Service POST unspecified
  • Logout Service Redirect Binding URL (…/saml2/logout).

#3

Thanks @abellotti,

I’ve tried leaving the POST and Redirect in the idp-metadata.xml, though I get the same issue on 2.5.1.

From /var/www/miq/vmdb/log/apache/ssl_access.log

"GET /saml2/logout?ReturnTo=/ HTTP/1.1" 303
"POST /saml2 HTTP/1.1" 404

I’m running multiple domain-clustered Keycloak appliances, balanced across two ManageIQ UI-dedicated appliances with a ‘source’ strategy via haproxy. So, I think this is more to do with my configuration than anything else.

For now, I’m working around this with a redirect in /etc/httpd/conf.d/manageiq-redirects-ui

+ RewriteRule ^/saml2$ /saml_login [R]

This doesn’t seem to break anything else, though the log is a bit convoluted now:

"GET /saml2/logout?ReturnTo=/ HTTP/1.1" 303
"POST /saml2 HTTP/1.1" 302
"GET /saml_login HTTP/1.1" 303
"GET /saml2/login?ReturnTo=https%3A..." 303

#4

Hi,
I’m having issues with integration of SAML keycloak v3.4.3.

Following the docs, when obtaining the idp-metadata.xml i can’t find the username id format in section :
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Do i need to add it manually ?

Next, when trying to authenticate, appliance redirects to IDP (i see cookies from keycloak) and when i enter the credentials (POST sent from keycloak), i get an empty response (get saml_login).
I have to create the group and roles first in appliance but in cannot lookup the group at the creation time.

==> /var/log/manageiq/apache/ssl_access.log <==
192.168.43.142 - - [07/Mar/2018:12:43:34 +0100] “POST /saml2/postResponse HTTP/1.1” 303 250

==> /var/log/manageiq/apache/ssl_request.log <==
[07/Mar/2018:12:43:34 +0100] 192.168.43.142 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 “POST /saml2/postResponse HTTP/1.1” 250

==> /var/log/manageiq/apache/miq_apache.log <==
[Wed Mar 07 12:43:34.808871 2018] [core:notice] [pid 8423] AH00052: child pid 18513 exit signal Segmentation fault (11)
[Wed Mar 07 12:43:34.809113 2018] [core:notice] [pid 8423] AH00052: child pid 18535 exit signal Segmentation fault (11)


#5

With last stable version all is working fine !