subspacecommunity/subspace

Invalid Metadata File (SSO with Keycloak)

marticanyelles opened this issue · 8 comments

Hi, I'm trying to configure the SSO subspace using Keycloak as IDP. I have not been able to find information about how the Metadata format requested by the Subspace should be. After configuring the SAML client, Keycloak provides some Metadata formats to insert into the application, but putting them in the Subspace returns an "Error, please try again". I finally tried to build the Metadata myself and the redirection works well by clicking the SSO login button. However, when I save, Subspace returns an "Invalid, please try again" and an error message can also be seen in the application logs.

Has anyone found themselves in a similar situation? What is the format of your Metadata file?
Thank you so much

The Metadata I'm using is the follow one (with changed urls and certificate):

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://MY_KEYCLOAK_URL:8443/auth/realms/master" validUntil="2022-04-18T10:12:14.000Z">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>THE_CERTIFICATE</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://MY_KEYCLOAK_URL:8443/auth/realms/master/protocol/saml/clients/wireguard"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://MY_KEYCLOAK_URL:8443/auth/realms/master/protocol/saml/clients/wireguard"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

Could you provide some steps for me to setup Keycloak for myself so I could test this?

Could you provide some steps for me to setup Keycloak for myself so I could test this?

Once the keycloak is installed, you have to go to client tab and create anew one. Next, you need to select the SAML option in the "Client Protocol" section and enter a "Client ID" name. Then you can click save and the client configuration tab will open.

My configuration is:

  • I set the variable "Name ID Format" to "username".
  • In the variable "Master SAML Processing URL", I set the ACS URL given to you by the subspace.
  • I set the variable "IDP Initiated SSO URL Name" to the value of "wireguard". After this step, Keycloak suggests the "Target IDP initiated SSO URL", which you should put in the "Base URL" variable.

After that you can go to the SAML KEYS tab and see the key and certificate and build your metadata to do the testing. The Installation tab creates metadata files for you, but the format is not correct for Subspace. From the tests I've been able to do, there seems to be a problem with the Keycloak keys, I've tried to validate the key and the certificate with an online website, and it says they're not correct. I tried regenerating the keys and the same thing happens. I also tried to import the keys, but I couldn't.

@marticanyelles do I need an https domain for it?

@marticanyelles do I need an https domain for it?

Yes, I think so

Hi,
I solved the problem. The metadata structure was fine, tI made two mistakes:

  • The certificate used for the Subspace must be the realm certificate, not the client one created in Keycloak.
  • The Client ID variable must have the value of the Entity ID URL provided by Subspace. Unlike OpenID Connect, that it can have any (but unique) value.

Hmmm, that would be interesting to add to the documentation somehow. What do you think @agonbar? Or is it out of scope to document specifics from IdPs?

@marticanyelles sorry I didn't have much time to help you with this, but I am glad you found an answer by yourself. Do you think we could on our part make things clearer for the user somehow? So that others don't go through the same trouble

@gchamon
Thank you for trying to help me! I think it would be nice to have an example of the metadata structure in the documentation. In addition, I don't know if you want to have specific information for each IDP, but Keycloak is being used more and more, so it could be useful.