subspacecommunity/subspace

Guidance needed, SAML and keycloak

j3ffrw opened this issue · 1 comments

Hi somewhat related to this #184, after following the suggestions by @marticanyelles, subspace accepted the metadata, but upon actual usage I'm getting a strange behaviour using SSO. Here's the steps I've taken

  1. Visit my_subspace.com domain.
  2. Press Sign in with "Company".
  3. Sign in with a user created in keycloak
  4. Got redirected to https://my_subspace.com/saml/metadata which then offered me to download a metadata file.
    what could be I be missing in my configuration? also what is the expected behaviour in subspace once I got authenticated?

Here's the metadata file downloaded, with the domain and certs replaced

<EntityDescriptor xmlns="urn:oasis:names:tc:Shttps://my_subspace.com/samlAML:2.0:metadata" validUntil="2021-08-11T19:41:38.682Z" entityID="https://my_subspace.com/saml/metadata">
  <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2021-08-11T19:41:38.682369743Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">
    <KeyDescriptor use="signing">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>THE_CERTIFICATE</X509Certificate>
        </X509Data>
      </KeyInfo>
    </KeyDescriptor>
    <KeyDescriptor use="encryption">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>THE_CERTIFICATE</X509Certificate>
        </X509Data>
      </KeyInfo>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my_subspace.com/saml/slo" ResponseLocation="https://my_subspace.com/saml/slo"></SingleLogoutService>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my_subspace.com/saml/acs" index="1"></AssertionConsumerService>
  </SPSSODescriptor>
</EntityDescriptor>

closing this one, it was a misconfiguration wherein instead of using ACS URL I used Entity Id in the "Master SAML Processing URL" field