Guidance needed, SAML and keycloak
j3ffrw opened this issue · 1 comments
j3ffrw commented
Hi somewhat related to this #184, after following the suggestions by @marticanyelles, subspace accepted the metadata, but upon actual usage I'm getting a strange behaviour using SSO. Here's the steps I've taken
- Visit my_subspace.com domain.
- Press Sign in with "Company".
- Sign in with a user created in keycloak
- Got redirected to https://my_subspace.com/saml/metadata which then offered me to download a metadata file.
what could be I be missing in my configuration? also what is the expected behaviour in subspace once I got authenticated?
Here's the metadata file downloaded, with the domain and certs replaced
<EntityDescriptor xmlns="urn:oasis:names:tc:Shttps://my_subspace.com/samlAML:2.0:metadata" validUntil="2021-08-11T19:41:38.682Z" entityID="https://my_subspace.com/saml/metadata">
<SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2021-08-11T19:41:38.682369743Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>THE_CERTIFICATE</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>THE_CERTIFICATE</X509Certificate>
</X509Data>
</KeyInfo>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my_subspace.com/saml/slo" ResponseLocation="https://my_subspace.com/saml/slo"></SingleLogoutService>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my_subspace.com/saml/acs" index="1"></AssertionConsumerService>
</SPSSODescriptor>
</EntityDescriptor>
j3ffrw commented
closing this one, it was a misconfiguration wherein instead of using ACS URL I used Entity Id in the "Master SAML Processing URL" field