azure-active-directorysingle-sign-onkeycloaksaml-2.0idp
Assertion expired - Keycloak
I'm doing IDP initiated sign-on where Azure AD is my IDP and Keycloak is a broker. I get below error in Keycloak server console -
11:02:17,571 DEBUG [org.keycloak.saml.common] (default task-9) org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant: 2021-01-01T05:32:17.571Z 11:02:17,575 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-9) Evaluating Conditions of Assertion ID_ab13e885-3b1e-45d5-88ec-edff44a53988. notBefore=2021-01-01T05:32:15.180Z, notOnOrAfter=2021-01-01T05:33:15.180Z, updatedNotBefore: 2021-01-01T05:32:10.180Z, updatedOnOrAfter=2021-01-01T05:33:20.180Z, now: 2021-01-01T05:32:17.571Z 11:02:17,578 INFO [org.keycloak.saml.validators.ConditionsValidator] (default task-9) Assertion ID_ab13e885-3b1e-45d5-88ec-edff44a53988 is not addressed to this SP. 11:02:17,579 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-9) Allowed audiences are: [https://localhost:8443/auth/realms/demo/broker/saml/endpoint/clients/azure-ad-client, https://localhost:8443/auth/realms/demo] 11:02:17,579 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-9) Assertion ID_ab13e885-3b1e-45d5-88ec-edff44a53988 validity is INVALID 11:02:17,579 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-9) Assertion expired.
Below is the error message on the screen -
And below is the SAML response from Azure AD -
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://localhost:8443/auth/realms/demo/broker/saml/endpoint/clients/azure-ad-client" ID="ID_b1be4149-323d-48cc-b168-2bb80b7f9441" IssueInstant="2021-01-01T05:32:17.181Z" Version="2.0">
<saml:Issuer>https://localhost:8443/auth/realms/demo</saml:Issuer>
<dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<dsig:Reference URI="#ID_b1be4149-323d-48cc-b168-2bb80b7f9441">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>mjUOWFliMQNyplLPE4/Ft6TxAkWeRi7uR3pYcqLPlQQ=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>ZTbyuqYzUuJYH74DMuU3aJZlinj9aP3GjlV7bI2fmzJJANW7/LEDda+qGMQ6x4/yu6LBA6gOLYF3wOqVEH+UQICotl0BUVANzA4rF5fI1oVWedW0KjR6KtgagppHFUJmPteIgiT677VWFVcdJZLlLMs46S+E587r/+jxbaC2c03W2qH1dog07Tw5ajqTcNsOiC1nOjhOj9pIfIERtDaGpLCFzxu+x0nuoMu91bDDjl9evqXvPV6iybmyFQJSCkJMEE37mJKisqeRmaQ+Qiw3nfd35/kivKX60GjhuKC0UYkt2uQEazn5EykxgDnoa7+CHZAYeKnKiCXvTwBxiPjhSQ==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>fSgfAWKE3nBNWMouTUNT3e-rG5UNyqu75SR0-unXWx8</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>MIIClzCCAX8CBgF2kTu+HTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARkZW1vMB4XDTIwMTIyMzIwMTEyMFoXDTMwMTIyMzIwMTMwMFowDzENMAsGA1UEAwwEZGVtbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI2ZZ7aZT2Qp3q3b0Ie18HT47IcKWHqxA5UXqSrPltoclTapZUAmwyD7E+Nc8uSlLiKg6BudxuWLjfpnylKCNfcV5IpJp46sOt3kXyui9UGDXZe8HUBeYHdrvVL3mKShnQ1eBFTE4BwRXVSNEOK8i0KyuKeCygIDB1e0vE16oSL1PItDLH8hnQnHvD7IX3hi9QjaYqgwREILdoa3F/Nv4hN1bcXpdTDVkairD0xge1S0E5Y3tBZND36JZExePWuOfw0jM4hvXaT6LLMYHvv6XjjqjJvBRsWVn5C9FlSlzXMI1X4ND7n+y1GLeq2MGKo6z8ADGBDy96gkuLrtLmpU8jMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAZLpjEhBuBDLz/TAZtCubu7+KBbZZCiWb6ymCZvCRDfxd6L+QPnbXxGDJPiEYB6Bpsrdun8N/KbCgKzu9KSlyjSrYTq6UGWz20h+bHumJ0JKYA262fm8o+YHGgAzJi2/liW8e4XeSYQ7t4MLRu7mgTCMAaCQAoWLt+PLVl9mpr+mbIi8ptRCxyGxQsr6b8u1J9tCzur7StSopfQ4kuM6QsooJwocG0HHDwnxmRV9lNmL1ix0u5XRWSECrkKMbdGiE/+P6CCc6T2Ff43myCpDXam6lprTKjftAGj86irevASvxQKJ74julecN2AsZVLlaW4sC4xzqOKxHm7HVuWEznBQ==</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>jZlntplPZCnerdvQh7XwdPjshwpYerEDlRepKs+W2hyVNqllQCbDIPsT41zy5KUuIqDoG53G5YuN+mfKUoI19xXkikmnjqw63eRfK6L1QYNdl7wdQF5gd2u9UveYpKGdDV4EVMTgHBFdVI0Q4ryLQrK4p4LKAgMHV7S8TXqhIvU8i0MsfyGdCce8PshfeGL1CNpiqDBEQgt2hrcX82/iE3Vtxel1MNWRqKsPTGB7VLQTlje0Fk0PfolkTF49a45/DSMziG9dpPossxge+/peOOqMm8FGxZWfkL0WVKXNcwjVfg0Puf7LUYt6rYwYqjrPwAMYEPL3qCS4uu0ualTyMw==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_ab13e885-3b1e-45d5-88ec-edff44a53988" IssueInstant="2021-01-01T05:32:17.180Z" Version="2.0">
<saml:Issuer>https://localhost:8443/auth/realms/demo</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2021-01-01T05:37:15.180Z" Recipient="https://localhost:8443/auth/realms/demo/broker/saml/endpoint/clients/azure-ad-client"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-01-01T05:32:15.180Z" NotOnOrAfter="2021-01-01T05:33:15.180Z">
<saml:AudienceRestriction>
<saml:Audience>azure-ad-client</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-01-01T05:32:17.181Z" SessionIndex="b6ed36be-e94a-4928-ab6d-2082c4df1cb4::1f136816-2bad-4bd9-bfe0-f16169bf7638" SessionNotOnOrAfter="2021-01-01T15:32:17.181Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">offline_access
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uma_authorization
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-links
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
PS - I'm running standalone Keycloak 12.0.1
Solution
The problem was that I had used wrong keycloak realm url as an Entity ID in Azure IDP setup. In short, since I was using https, the port should have been 8443 -
Old Entity ID:
Correct Entity ID:
- Need help getting Azure AD B2C SSO with Azure AD
- Unable to get all users from Microsoft Graph using Python SDK
- Azure AD, AuthenticationTicket Claims
- How to resolve 'invalid hostname for this tenancy' error when accessing Microsoft Graph API for multi-tenant app registration?
- How to get a list of users from azure graph API
- Az-GetRoleAssigments Not returning Data for DisplayName, SignInName & Object Type - Azure Powershell Runbook
- Integration of SSO using MSAL in Angular project gets 401 returned error after login
- Azure Active Directory passing empty GUID for tenantId with default template
- Sign in to Azure Account from VS Code
- AKV10032: Invalid issuer error when connecting to Azure Key Vault from App Service
- Get all user properties from Microsoft graph
- ASP.NET Azure AD / Entra Authentication - App roles in token, but not being assigned to principal
- How to do azure single sign on with next.js 14 and App Router
- Azure ClientCertificateCredential - Using SNI
- Entra ID Schema Extension with custom Namespace
- MSAL Node service & The Partner Center API
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- is it posible to access Azure App Configuration via URL or conected some how as enviroment setting of App Service?
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Pulling "On-premises last sync date time" Azure user property using PowerShell
- Authenticating to Sharepoint Online Site via React SPA in MS Teams personal Tab
- Login failed for user '<token-identified principal>' while authorizing to SQL Server via Service Principal from AAD group assigned
- MSAL library fails to parse token in Chromium based browsers
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
- EntraID: how to pass application roles downstream
- During signIn receiving B2C error code ‘AADB2C99059’
- How can I read local MS Teams status
- How to find the tenant where a multi-tenant AAD application was registered
- Azure AD permissions for MS Forms