sventorben/keycloak-home-idp-discovery

[BUG] Invalid Signature Error with home IDP flow.

Closed this issue · 1 comments

joshmartinlumi commented

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When logging in with the Home IDP flow, keycloak throws the following error

`2024-09-04 15:47:12,056 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (executor-thread-14) validation failed: org.keycloak.common.VerificationException: Invalid signature on document
at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:96)
at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.verifySignature(SAMLEndpoint.java:756)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:688)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:288)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:193)
at org.keycloak.broker.saml.SAMLEndpoint$quarkusrestinvoker$postBinding_e2ae3e4e98121b36952f2279cd4bb60100612099.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:1583)

2024-09-04 15:47:12,057 WARN [org.keycloak.events] (executor-thread-14) type="IDENTITY_PROVIDER_RESPONSE_ERROR", realmId="35f9766c-1b52-454a-89f8-bb6d7d202ab7", realmName="Portal", clientId="null", userId="null", ipAddress="20.254.25.184", error="invalid_signature"`

However when logging in to the same IDP with the button on the login page there is no failure.

Expected Behavior

Home IDP login flow works as well as the button flow.

Steps To Reproduce

  1. Configure idp with this config -
    (obscured some data but left as much as I can)
    {
    "alias": "example-alias",
    "displayName": "",
    "providerId": "saml",
    "enabled": true,
    "updateProfileFirstLoginMode": "on",
    "trustEmail": true,
    "storeToken": false,
    "addReadTokenRoleOnCreate": false,
    "authenticateByDefault": false,
    "linkOnly": false,
    "firstBrokerLoginFlowAlias": "Only create new users",
    "config": {
    "postBindingLogout": "false",
    "postBindingResponse": "true",
    "home.idp.discovery.domains": "example.com",
    "backchannelSupported": "false",
    "caseSensitiveOriginalUsername": "false",
    "useMetadataDescriptorUrl": "false",
    "loginHint": "true",
    "allowCreate": "true",
    "authnContextComparisonType": "exact",
    "syncMode": "IMPORT",
    "singleSignOnServiceUrl": "sso-url",
    "wantAuthnRequestsSigned": "false",
    "allowedClockSkew": "0",
    "hideOnLoginPage": "false",
    "validateSignature": "true",
    "signingCertificate": "valid-certificate-here",
    "nameIDPolicyFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "entityId": "https://example.url:443/realms/Portal",
    "signSpMetadata": "false",
    "wantAssertionsEncrypted": "false",
    "sendClientIdOnLogout": "false",
    "wantAssertionsSigned": "false",
    "sendIdTokenOnLogout": "true",
    "postBindingAuthnRequest": "true",
    "forceAuthn": "false",
    "attributeConsumingServiceIndex": "0",
    "addExtensionsElementWithKeyInfo": "false",
    "principalType": "Subject NameID"
    }
    }
  2. Try to log in with user@example.com
  3. Attempts to redirect to home idp but presents "Invalid signature in response from identity provider." error on screen and previous error mentioned above in console.
  4. Normal login using the IDP button on the login screen works.

Version

- Keycloak:25.0.4
- This extension:25.0.0

Anything else?

Flow configured as shown and bound to browser flow
image
image

joshmartinlumi commented

Resolved this after a good bit of digging.

What was causing my issue was the "pass subject" section of the SAML request. The button on the login page was not passing any subject and therefore did not face any issues. However, when passing a subject via Home IDP, the IDP just failed to know what to do and failed.

The failure looked like this in the saml response:

<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" /> </samlp:StatusCode> <samlp:StatusMessage>Unable to successfully authenticate the principal.</samlp:StatusMessage> </samlp:Status>

For some reason this was flagged as a " org.keycloak.common.VerificationException: Invalid signature on document"

Note for anyone who finds this, check if you have "pass subject" turned on.