Search code examples
cookieskeycloaksamlsaml-2.0idp

Why is Keycloak resulting in "Cookie not found" error after IDP initiated login?


I am setting up IDP initiated authentication from ServiceA to my application using Keycloak. So far, I provided all necessary configurations required by ServiceA and I've also configured SAML Identity Provider on the Keycloak and configured it with the appropriate configuration values received from ServiceA.

The Issue: When I click on the application icon on the ServiceA portal, the flow initiates as expected. I receive SAML response with status Success, Destination attribute URL value matches Assertion Consumer service endpoint value configured on ServiceA, Audience is OK as well, but after being redirected to the Keycloak, I encounter an error saying:

We are sorry... Cookie not found. Please make sure cookies are enabled in your browser.

Here is the message from the Keycloak logs: type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=myrealm, clientId=null, userId=null, ipAddress=XX.XXX.XXX.XXX, error=cookie_not_found

And this is what Devtools in Firefox says: Cookie “KC_STATE_CHECKER” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None” attribute to it.

Keycloak version: 22.0.1 In this version there is no option to do any configuration related to the cookies (at least from UI and REST API point of view).

Questions:

  1. Why does Keycloak struggles to find KC_STATE_CHECKER cookie in this flow?
  2. Can I somehow ensure that SameSite=None attribute is properly added to Keycloak cookies?
  3. Are there some additional configurations that need to be done on Keycloak or on ServiceA?

Thank you for your answers.

I re-checked all the URL's (both on ServiceA and in my Keycloak configuration). I even contacted ServiceA support to provide me with SAML metadata descriptor so I don't have to copy the URL's and other parameters. I also enabled DEBUG and TRACE logs in the Keycloak but I haven't found anything useful there. I tried different browsers, incognito modes, clearing cookies and all that stuff. I also tried removing https:// and path in the Audience section as I read somewhere it might cause issues but it also didn't help. Also, guys from the support confirmed that my configuration is OK but of course they can't help me with if the problem is on my side (Keycloak). They even checked SAML response that I receive after clicking application icon on ServiceA portal - and they confirmed that response is correct and valid. Of course, apart from all of this, I don't even have to mention days spent googling, reading similar issues on Keycloak github page, and even reading Keycloak source code.


Solution

  • Solved!

    Things I had to do:

    • Create SAML client
    • Add IDP-Initiated SSO URL name
    • Set Assertion Consumer Service Post Binding URL

    Breakthrough:

    When creating the client, Client ID must match the Issuer value sent in AuthNRequest because Keycloak pulls the issuer from the Authn SAML request and match it to a client by this value.

    Next thing that needs to be done is to set IDP-Initiated SSO URL name. Leaving this blank will disable IDP initiated flow. The target URL that you need to reference from your browser will be in the following format:

    • server-root/realms/{realm}/protocol/saml/clients/{client-url-name}

    The target Identity Provider (IdP)-initiated SSO URL is the Assertion Consumer Service (ACS) endpoint of your application. This is the endpoint where service you're integrating with, acting as the IdP, sends the SAML assertion after authenticating the user. This URL must be registered with service you're integrating with as part of the SAML integration, ensuring that SAML assertions are securely and correctly routed to your application.

    Next, under Advanced tab, we need to set Assertion Consumer Service POST Binding URL. This should be the URL to your backend application that just do the redirect to your frontend application. Particularly in my case, I configured this endpoint on Ingress in way it does Permanent Redirect (301) to my frontend application (whenever it match https://myapp.com/saml-continue URL). However, it is also possible just to open simple endpoint in your backend server which will do the redirect to frontend.