2

I have keycloak on port 8081, proxied by nginx on 443 on a path /saml-sp. I followed all of the docs to set up the proxy. The well known open-id endpoint check and IP address check all look good.

However, I have a SAML 2 Identity Provider integration which fails after submitting the login page there. The error in the keycloak logs is invalid_destination, but the destination in the SAML looks exactly like the endpoint. I have fontendUrl set as well to the external address. I must be missing something but I don't know what. Here's the error:

2020-10-02 08:55:36,888 WARN  [org.keycloak.events] (default task-117) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=aerograph, clientId=null, userId=null, ipAddress=xxx.xxx.xxx.xxx, error=invalid_saml_response, reason=invalid_destination

This is my nginx config:

location /saml-sp/ {
        client_max_body_size 1000m;
        proxy_connect_timeout 7d;
        proxy_send_timeout 7d;
        proxy_read_timeout 7d;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $host;
        proxy_pass http://localhost:8081/;
    }

Thanks for any help.

Brad
  • 823
  • 1
  • 9
  • 17
  • what is the assertion consumer URL provided to your IdP through federation metadata? – Bhushan Karmarkar Oct 06 '20 at 08:54
  • Did you set `proxy-address-forwarding` to true - https://www.keycloak.org/docs/latest/server_installation/#identifying-client-ip-addresses ? – Jan Garaj Oct 06 '20 at 10:23
  • @jan-garaj I did set proxy-addressforwarding in my standalone.xml as well, per the docs. As I said, the well known endpoints all look correct and have my nginx path prefix. – Brad Oct 06 '20 at 13:04
  • @BhushanKarmarkar AssertionConsumerService URL is https://aerograph.arc.nasa.gov/saml-sp/auth/realms/aerograph/broker/saml/endpoint. This is all inside a gov network. – Brad Oct 06 '20 at 13:18
  • 1
    My guess: you need to start keycloak/wildfly with context path `/saml-sp/` and then nginx with `proxy_pass http://localhost:8081/saml-sp/;` I would say that Keycloak is now not aware of context path. – Jan Garaj Oct 06 '20 at 14:51
  • @jan-garaj thank you for the response. Where is that configured ? – Brad Oct 06 '20 at 15:33
  • Probably https://stackoverflow.com/questions/28470872/how-to-define-context-path-in-wildfly – Jan Garaj Oct 06 '20 at 18:54
  • 1
    I think there is a problem in your proxy config. You are redirecting "/saml-sp/" to "/", this is resulting in non-existing endpoint. In my nginx config, I redirected as follows - location / { proxy_pass http://; } – Bhushan Karmarkar Oct 07 '20 at 04:30
  • 1
    correct config would be - "location /saml-sp/ {proxy_pass http://localhost:8081/saml-sp}" – Bhushan Karmarkar Oct 07 '20 at 04:31
  • I ultimately decided to map nginx path /auth/ to localhost:8081/auth/ and that resolved it. With that you dont have to change web context. Your comments got me on the right path, thank you. – Brad Oct 10 '20 at 19:24

0 Answers0