3

I'm trying to configure IdP initiated SSO with Google acting as an IdP in order to be able to authenticate to our web app, which supports SSO authentication via Keycloak, by clicking on custom SAML app in Google Workspace popup (basically it's just a link to https://accounts.google.com/o/saml2/initsso?idpid=[IDP ID]&spid=[SP ID]&forceauthn=false) but the problem I have is that the request to Keycloak (ACS URL) fails with the following error:

Keycloak Error 1

If I set Start URL field in Google SSO configuration, with for example my webapp's SSO login page, then it fails with another error:

Keycloak Error 2

Failing HTTP request:

  • URL: https://[KEYCLOAK DOMAIN]/realms/[REALM]/broker/[IDENTITY BROKER]/endpoint
  • Method: POST
  • Status Code: 400
  • Form Data: SAMLResponse=[LONG BASE64]&RelayState=[EMPTY OR Start URL VALUE]

This is the configuration I use for Google custom SAML app:

  • ACS URL: https://[KEYCLOAK DOMAIN]/realms/[REALM]/broker/[IDENTITY BROKER]/endpoint
  • Entity ID: https://[KEYCLOAK DOMAIN]/realms/[REALM]
  • Signed response: ON
  • Name ID format: EMAIL
  • Name ID: Basic Information > Primary email

Keycloak Identity Provider SAML Config:

  • Service Provider Entity ID: https://[KEYCLOAK DOMAIN]/realms/[REALM]
  • Single Sign-On Service URL: https://accounts.google.com/o/saml2/idp?idpid=[IDP ID]
  • Single Logout Service URL: https://accounts.google.com/o/saml2/idp?idpid=[IDP ID]
  • NameID Policy Format: Email
  • Principal Type: Subject NameID
  • HTTP-POST Binding Response: ON
  • HTTP-POST Binding for AuthnRequest: ON
  • Validate Signature: ON
  • Validating X509 Certificates: [...]

Keycloak Version: 17.0.0

So my question is what could be wrong with this setup and whether it needed to put some URL into Start URL field? Also do I need to configure a separate Keycloak client as I couldn't find any relation between Google SAML / Keycloak IdP and Keycloak client configurations?

UPDATE:

Network recording in HAR format

Ilya I
  • 1,282
  • 1
  • 12
  • 19
  • Are you able to generate a HAR file by any chance and share it? You can review how to do it here https://toolbox.googleapps.com/apps/har_analyzer/ . It would allow you to review the logs and check what particular attribute could be affecting the verification, it should be the one with the error, invalid request. – Ricardo Jose Velasquez Cruz Sep 05 '22 at 20:40
  • @RicardoJoseVelasquezCruz Yes. I've reviewed with HAR Analyzer but didn't find anything new, looks like it shows pretty much same information as in Chrome Dev Tools. – Ilya I Sep 07 '22 at 16:36
  • Are you able to share the HAR file if possible to decode it and check the attributes? You can utilize a test new user. – Ricardo Jose Velasquez Cruz Sep 09 '22 at 18:42
  • @RicardoJoseVelasquezCruz Ok, added the link in the question – Ilya I Sep 12 '22 at 08:29
  • It looks like you switch to OIDC on your dev server. Generally, check Keycloak logs why Keycloak doen't like SAML response (maybe different entity ID is expected, maybe used/configured signing/encryption keys are not correct, ...). It is not clear from your HAR how SAML response looks like. I would disable Signed response/Validate Signature to have simple setup, which is easy to debug. You can enable it later when other components are configured correctly. – Jan Garaj Sep 15 '22 at 10:08
  • @JanGaraj I've tried disabling Signed response on Google's side and Validate Signature in Keycloak but it didn't change anything. I've updated the HAR recording link above. It seems that the issue is that Google and Keycloak use RelayState field differently - Googe expects an URL whereas Keycloak expecting a dynamic session ID along with client ID. – Ilya I Sep 15 '22 at 14:04
  • I don't believe you can use IDP initiated login (clicking on custom SAML app in Google Workspace popup) https://stackoverflow.com/questions/71545359/idp-initiated-sso-from-google-saml-with-keycloak-as-identity-broker – Jan Garaj Sep 15 '22 at 14:45
  • I checked both HAR files and after decoding them, I notice that it does send all the required attributes on the SAML, however it might not be getting a response from Keycloack confirming the attribute mapping. – Ricardo Jose Velasquez Cruz Sep 21 '22 at 21:47
  • @RicardoJoseVelasquezCruz Any idea why it might not be getting a response? – Ilya I Sep 22 '22 at 13:58
  • @RicardoJoseVelasquezCruz How can you force KC to send the response, confirming the attribute mapping? – Rabzu Sep 24 '22 at 12:04

0 Answers0