Search code examples
keycloaksamlsaml-2.0

Basic SAML brokering with keycloak not redirecting back to application

We are moving our application from a traditional database login to keycloak. The old system handled SAML logins on its own, using the python-saml package.

Now, we are trying to get keycloak to do this for us. I'm new to this whole thing.

The basic OID auth process works fine - the web frontend app talks to keycloak, a dialog is shown, and on typing the credentials, the web app gets a bearer token that is used to talk to our backend

For SAML external IDP based login using keycloak as the broker, I configured it as follows (I am using a private simplesaml server for testing):

  1. I created a SAML 2.0 Identity provider entry on keycloak
  2. Imported the settings from the IDPs metadata XML

Now when I open the web app, it hits the keycloak login page, where keycloak shows this provider alias name (for e.g. "samltest") as a button. Clicking that takes me to the simplesaml login page and authenticates.

Then keycloak throws me back to a URL like https://keycloak.mydomain.com/auth/realms/development/broker/samltest/endpoint

Where it shows an error "Page not found"

What I expected was that since the IDP has accepted the login, and its sent back the SAML assertion to keycloak, keycloak should now redirect back to the webpage link as it does on regular non SAML logins.

I've been bashing my head on this for a while now - I cant figure it out.

How do I go about getting this to work?

Thanks in advance

Solution

  • It's been awhile since I last used KeyCloak, but it sounds like you've misconfigured the Assertion Consumer Service.

    Normally when you build a service and you want SAML authentication, you also create a Service Provider Metadata file. It looks like this:

    <?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2027-03-15T09:42:12Z" cacheDuration="PT604800S" entityID="MyService">
  <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <!-- ... -->
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://myservice/some/path/to/acs" index="0"/>
    <!-- ... -->
  </md:SPSSODescriptor>
  <!-- ... -->
</md:EntityDescriptor>

    You can then deploy this file e.g. to ADFS to use it as your Identity Provider.

    The point is, you need to tell the IdP where to send the user after a successful login. In your case it appears to be the wrong URL. I don't know where you set this in KeyCloak specifically, but from a SAML Auth Flow point of view, the behaviour you described matches an incorrect value in the ACS URL.