Keycloak 密钥斗篷中的SAML注销失败
我们正在从SpringSecuritySAML转换为使用Key斗篷作为SAML代理 首先,我通过从我们的身份提供者导入IdP元数据XML,在KeyClope中配置了IdP。这将导致服务提供商实体ID变为Keycloak 密钥斗篷中的SAML注销失败,keycloak,saml,saml-2.0,Keycloak,Saml,Saml 2.0,我们正在从SpringSecuritySAML转换为使用Key斗篷作为SAML代理 首先,我通过从我们的身份提供者导入IdP元数据XML,在KeyClope中配置了IdP。这将导致服务提供商实体ID变为https://saml.test-nemlog-in.dk/,登录后,我从IdP收到以下错误: The entity ID https://saml.test-nemlog-in.dk/ could not be found 我认为使用了错误的值,因为它必须是SP entityId(https
https://saml.test-nemlog-in.dk/
,登录后,我从IdP收到以下错误:
The entity ID https://saml.test-nemlog-in.dk/ could not be found
我认为使用了错误的值,因为它必须是SP entityId(https://our.address.com
)。当我将服务提供者实体ID更改为我们的entityId时,登录工作正常 登录与上面的工作一样,现在当我从第三方注销时,我会通过注销请求重定向到我们的SP(如预期的那样)。目的地正确,发卡机构也正确:
<LogoutRequest
Destination="https://our.address.com/auth/realms/saml-broker-realm/protocol/saml"
ID="..." IssueInstant="..." NotOnOrAfter="..." Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.test-nemlog-in.dk/</Issuer>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">....</NameID>
<SessionIndex>....</SessionIndex>
</LogoutRequest>
我知道,在KeyClope中的IdP配置中,entityId设置为https://our.address.com
,但这是出现在现场服务提供商实体ID中的地址,如果我将其更改为IdP entityId,则登录不起作用
我是不是错过了什么?也许是我错过了配置的钥匙斗篷
下面是从Key斗篷导出的IdP配置
"identityProviders": [
{
"alias": "NemLog-in",
"displayName": "NemLog-in",
"internalId": "",
"providerId": "saml",
"enabled": true,
"updateProfileFirstLoginMode": "on",
"trustEmail": false,
"storeToken": false,
"addReadTokenRoleOnCreate": false,
"authenticateByDefault": false,
"linkOnly": false,
"firstBrokerLoginFlowAlias": "Simple browser flow",
"config": {
"validateSignature": "true",
"signingCertificate": "",
"postBindingLogout": "false",
"nameIDPolicyFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"postBindingResponse": "true",
"singleLogoutServiceUrl": "https://login.test-nemlog-in.dk/adfs/ls/",
"entityId": "https://our.address.com",
"signatureAlgorithm": "RSA_SHA256",
"wantAssertionsEncrypted": "false",
"xmlSigKeyInfoKeyNameTransformer": "KEY_ID",
"useJwksUrl": "true",
"loginHint": "false",
"authnContextComparisonType": "exact",
"postBindingAuthnRequest": "false",
"syncMode": "IMPORT",
"singleSignOnServiceUrl": "https://login.test-nemlog-in.dk/adfs/ls/",
"wantAuthnRequestsSigned": "true",
"addExtensionsElementWithKeyInfo": "false",
"encryptionPublicKey": "",
"principalType": "SUBJECT"
}
}
上面的JSON导致了这种情况
"identityProviders": [
{
"alias": "NemLog-in",
"displayName": "NemLog-in",
"internalId": "",
"providerId": "saml",
"enabled": true,
"updateProfileFirstLoginMode": "on",
"trustEmail": false,
"storeToken": false,
"addReadTokenRoleOnCreate": false,
"authenticateByDefault": false,
"linkOnly": false,
"firstBrokerLoginFlowAlias": "Simple browser flow",
"config": {
"validateSignature": "true",
"signingCertificate": "",
"postBindingLogout": "false",
"nameIDPolicyFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"postBindingResponse": "true",
"singleLogoutServiceUrl": "https://login.test-nemlog-in.dk/adfs/ls/",
"entityId": "https://our.address.com",
"signatureAlgorithm": "RSA_SHA256",
"wantAssertionsEncrypted": "false",
"xmlSigKeyInfoKeyNameTransformer": "KEY_ID",
"useJwksUrl": "true",
"loginHint": "false",
"authnContextComparisonType": "exact",
"postBindingAuthnRequest": "false",
"syncMode": "IMPORT",
"singleSignOnServiceUrl": "https://login.test-nemlog-in.dk/adfs/ls/",
"wantAuthnRequestsSigned": "true",
"addExtensionsElementWithKeyInfo": "false",
"encryptionPublicKey": "",
"principalType": "SUBJECT"
}
}