So I’ve been testing out the new ‘IDP as a factor’ functionality and for testing purposes, I was able to configure another IDP to act as a factor.
However, I’m now trying a different IDP (Keycloak) and while I can get the SAML flow to work properly, it always fails at the final step when the SAML assertion is sent back to Okta
The only thing in the System log is “Unable to validate incoming SAML Assertion”
I’ve looked at the assertion SAML tracer, and it seems like it’s good. And I’ve double-checked that both sides agree on the certificate, signing algo, etc.
Tried it myself and had to spend some time trying to figure why I see the same error. Turned out that my username in Okta has some uppercase letters, while the username in the assertion was sent all lowercase. Check if you may have the same
And the non-working IDP is asserting saml:Subject
<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>john+test@xxx.xx</saml:NameID>
Does this IdP work for you if you configure it for SSO and try to login as that external user? Just want to eliminate obvious things like certificate/issuer…
There’s a bit of back and forth to get the certs to match properly, but once that’s done:
In Okta:
IdP Issuer: http://[host]/auth/realms/[realmname] IdP Single Sign-On URL: http://[host]/auth/realms/[realmname]/protocol/saml HTTP Post Binding ON Request Signature ON Validation Request or Assertion SHA-256 (because it’s better) Destination http://[host]/auth/realms/[realmname]/protocol/saml ACS URL to Organization
From there, export the metadata and import it as a new client in Keycloak
The client ID will be set correctly Include AuthN statement ON Sign Documents ON RSA_SHA256 KEY_ID Client Signature required ON Force POST binding ON NameID format (whatever was set in Okta) Valid Redirect URI - Master SAML Processing URL - ACS POST - All set to https://[your octa tenant]/sso/saml2
Make sure the NameIDs match exactly in the request and response and make sure your Realmname doesn’t have any spaces in it.
I suspect something odd happened with the cert exchange. But once I did a pattern of
Export to Okta. Configure Okta ahead of configuring the client, export metadata, import as new client into Ketcloak and tweak, it worked a charm.