keycloak metadata not recognised by Lightsaml

Question

keycloak metadata not recognised by Lightsaml

quenenni opened this issue 4 years ago · 0 comments

Going on with my configuration (#4 ), I wanted to find a way to use your test.sh script.

I discovered that the Idp_metadata.xml file from my keycloak was considered malformed by LightSaml.
From Keycloak, the 3 first lines (line 2 & 3 are the problem) are:

<?xml version="1.0" encoding="UTF-8"?>
<EntitiesDescriptor Name="urn:keycloak" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
                    xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
    <EntityDescriptor entityID="https://my.keycloak/auth/realms/test_saml">

The error was in the file "vendor/lightsaml/lightsaml/src/LightSaml/Model/Metadata/EntityDescriptor.php" at line 66:

$ed->deserialize($context->getDocument(), $context);

with the msg:

Expected 'EntityDescriptor' xml node and 'urn:oasis:names:tc:SAML:2.0:metadata' namespace but got node 'EntitiesDescriptor' and namespace 'urn:oasis:names:tc:SAML:2.0:metadata

I modified manually my idp_metadata.xml file to have the 3 first line into 2 lines like this:

<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor Name="urn:keycloak" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
                    xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" entityID="https://my.keycloak/auth/realms/test_saml">

And now it's working.

It seems Keycloak accept to have several EntityDescriptor under the parent node EntitiesDescriptor but LightSaml only accept 1 entity.
Is the problem in the metadata from Keycloak or from the LightSaml library?

Thanks

Maybe that will interest other people, so this what I did to make it work.
I had to modify the test.sh script and the pam-script-saml.php file.

in test.env:

ITERATIONS=3
IDP_METADATA=/etc/sogo/idp-metadata.xml
TRUSTED_SP=https://my.sogo.host/SOGo/saml2-metadata

In test.sh, I had to comment out the exit command that test the existence of params (line 15):

#  exit 2

And also I had to change the way it put the idp metadata into the temporary file (line 19):

IDP_METADATA_FILE=$(mktemp)
IDP_METADATA_CONTENT=`cat $IDP_METADATA`
echo "$IDP_METADATA_CONTENT" | tr -d '\r' > "${IDP_METADATA_FILE}"

in pam-script-saml.php, I added this after "include 'vendor/autoload.php';"

$_SERVER['PAM_TYPE']='auth';
$_SERVER['PAM_USER']='my.login.mail@my.host';
$_SERVER['PAM_RHOST']='127.0.0.1';
$_SERVER['PAM_AUTHTOK']="<the saml_response token send by keycloak / very long (> 9000 chars for me)>"

Concerning the PAM_AUTHTOK param, after having base64_decoded, the code try to gzuncompress it, but the response_token I'm using is not compress after being decoded. So I changed the line

$xml = @gzuncompress($xmlSrc);

to

$xml = $xmlSrc;

I'm not sure I understand the uncompress part as what I put in var PAM_AUTHTOK is the exact value of the saml_response param that is used in the request to Sogo.

And that was it.