使用Keycloak的IDP启动的SSO [英] idp initiated sso using keycloak
问题描述
此问题属于基于SAML的IDP启动的SSO.作为POC,我有两个keycloak实例,例如keycloak1和keycloak2.我想实现以下目标:
This question is in the area of SAML based IDP initiated SSO. As a POC, I have two keycloak instances, say keycloak1 and keycloak2. I would want to achieve the below :
-
身份验证将在keycloak1上完成
Authentication would be done at keycloak1
keycloak1定向到keycloak2以访问keycloak2客户端应用程序.
keycloak1 then directs to keycloak2 to access an keycloak2 client application.
为此,
a)在realm1下的keycloak1处创建一个saml客户端.将IdP initiated SSO Name设置为不带空格的某些名称)->说keycloakclientsaml.在细粒度SAML端点配置"部分中,对于断言消费者服务POST绑定URL-> http://<keycloak2:port>/auth/realms/realm2/broker/saml/endpoint/clients/keycloakclientsaml
a) create a saml client at keycloak1 under realm1. With IdP initiated SSO Name set as some name without spaces) --> say, keycloakclientsaml. In the Fine Grain SAML Endpoint Configuration section, for Assertion Consumer Service POST Binding URL --> http://<keycloak2:port>/auth/realms/realm2/broker/saml/endpoint/clients/keycloakclientsaml
( https://www.keycloak. org/docs/latest/server_admin/index.html#idp-initiated-login )
b)单击上面创建的saml客户端->安装->导出SAML元数据IDPSSODescriptor并另存为saml-metadata.xml(例如).
b) click on above created saml client --> installation --> Export SAML Metadata IDPSSODescriptor and save as saml-metadata.xml ( say ).
c)在密钥斗篷1中添加一个用户,例如user1/user @ 123
c) Add a user in keycloak1, say user1/user@123
d)在keycloak2处,创建一个IDP(身份提供者标签).导入上面导出的saml-metadata.xml并保存.
d) At the keycloak2, create a IDP ( identity providers tab). Import the above exported saml-metadata.xml and save.
e)在浏览器中,点击http://<keycloak1>/auth/realms/realm1/protocol/saml/clients/keycloakclientsaml
提示输入用户名/密码,提供用户1的凭证
e) In the browser hit, http://<keycloak1>/auth/realms/realm1/protocol/saml/clients/keycloakclientsaml
Prompt for username/pwd, give credentials for user1
f)浏览器中的URL现在更改为
f) URL in the browser now changes to
http://<keycloak2:port>/auth/realms/realm2/broker/saml/endpoint/clients/keycloakclientsaml
在keycloak2实例中,我得到的错误为:
At keycloak2 instance, I get the error as :
09:20:46,775 INFO [org.keycloak.saml.validators.ConditionsValidator] (default task-6) Assertion ID_789213dd-24f9-425f-ae20-bcadef173bc6 is not addressed to this SP.
09:20:46,775 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-6) Assertion expired.
09:20:46,775 WARN [org.keycloak.events] (default task-6) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=realm2, clientId=null, userId=null, ipAddress=keycloak2, error=invalid_saml_response
09:20:46,775 INFO [org.keycloak.saml.validators.ConditionsValidator] (default task-6) Assertion ID_789213dd-24f9-425f-ae20-bcadef173bc6 is not addressed to this SP.
09:20:46,775 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-6) Assertion expired.
09:20:46,775 WARN [org.keycloak.events] (default task-6) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=realm2, clientId=null, userId=null, ipAddress=keycloak2, error=invalid_saml_response
有人可以在这里帮忙吗?
Could someone help here.
- 以上给出的步骤正确无误吗?
- 我想念什么
如果需要其他任何信息,请告诉我.很乐意提供.
If any other information is required, let me know. would be happy to provide.
推荐答案
最后使它正常工作.
所以这是上面的答案:
上面粘贴的错误与断言有关.在我的情况下,这是因为无法识别keycloak1的saml client中给出的clientid.它应该指向keycloak2领域(例如,http://<keycloak2:port>/realms/realm2
然后,将在keycloak2代理idp处对SAML响应中的条件部分进行验证.
(code : SAMLEndpoint.java --> handleLoginResponse method)
The error pasted above was related to Assertion expired. In my case, it was because of the clientid given in saml client of Keycloak1 was not recognized url of keycloak2. it should be pointing to the keycloak2 realm ( for example, http://<keycloak2:port>/realms/realm2
Then the condition section in the SAML response is VALIDATED at the keycloak2 broker idp.
(code : SAMLEndpoint.java --> handleLoginResponse method)
为了清楚起见,将线程保留在此处,以下详细给出了步骤:
Leaving this thread here and for clarity the steps are given below in detail:
a)在realm1下的keycloak1处创建一个saml客户端.将IdP initiated SSO Name设置为不带空格的某些名称)->说sso.
a) create a saml client at keycloak1 under realm1. With IdP initiated SSO Name set as some name without spaces) --> say, sso.
b)在上述客户端的细粒度SAML端点配置"部分中,对于断言消费者服务(ASC)POST绑定URL-> http://<keycloak2:port>/auth/realms/realm2/broker/saml/endpoint/clients/keycloak2samlclient
b) In the Fine Grain SAML Endpoint Configuration section of the above client, for Assertion Consumer Service (ASC) POST Binding URL --> http://<keycloak2:port>/auth/realms/realm2/broker/saml/endpoint/clients/keycloak2samlclient
( https://www.keycloak. org/docs/latest/server_admin/index.html#idp-initiated-login )
b)单击上面创建的saml客户端->安装->导出SAML元数据IDPSSODescriptor并另存为saml-metadata.xml(例如).
b) click on above created saml client --> installation --> Export SAML Metadata IDPSSODescriptor and save as saml-metadata.xml ( say ).
c)在密钥斗篷1中添加一个用户,例如user1/user @ 123
c) Add a user in keycloak1, say user1/user@123
d)在keycloak2处,创建一个IDP(名称为saml的身份提供程序选项卡(请参阅ASC网址).导入上面导出的saml-metadata.xml并保存.
d) At the keycloak2, create a IDP ( identity providers tab with name saml (refer ASC url). Import the above exported saml-metadata.xml and save.
e)在keycloak2上,创建一个saml客户端,并在IP启动的SSO url中将名称命名为keycloak2clientsaml
e) At the keycloak2, create a saml client and in the IP initiated SSO url give name as keycloak2clientsaml
f)在浏览器中,点击http://<keycloak1>/auth/realms/realm1/protocol/saml/clients/sso
提示输入用户名/密码,提供用户1的凭证
f) In the browser hit, http://<keycloak1>/auth/realms/realm1/protocol/saml/clients/sso
Prompt for username/pwd, give credentials for user1
这篇关于使用Keycloak的IDP启动的SSO的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
