Unable to validate incoming SAML Assertion errors with Keycloak IDP

johnoff · October 24, 2020, 10:22pm

So I’ve been testing out the new ‘IDP as a factor’ functionality and for testing purposes, I was able to configure another IDP to act as a factor.

However, I’m now trying a different IDP (Keycloak) and while I can get the SAML flow to work properly, it always fails at the final step when the SAML assertion is sent back to Okta

The only thing in the System log is “Unable to validate incoming SAML Assertion”

I’ve looked at the assertion SAML tracer, and it seems like it’s good. And I’ve double-checked that both sides agree on the certificate, signing algo, etc.

Any suggestions?

phi1ipp · October 25, 2020, 1:19am

Tried it myself and had to spend some time trying to figure why I see the same error. Turned out that my username in Okta has some uppercase letters, while the username in the assertion was sent all lowercase. Check if you may have the same

johnoff · October 25, 2020, 1:30am

Thanks for the advice (I ran into that same feature with the first IDP!)

The working IDP is asserting

saml:Subject
<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>john+test@xxx.xx</saml:NameID>

And the non-working IDP is asserting
saml:Subject
<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>john+test@xxx.xx</saml:NameID>

So unfortunately, I don’t think that’s it

phi1ipp · October 25, 2020, 1:57am

Does this IdP work for you if you configure it for SSO and try to login as that external user? Just want to eliminate obvious things like certificate/issuer…

johnoff · October 26, 2020, 11:26pm

Figured it out.

There’s a bit of back and forth to get the certs to match properly, but once that’s done:
In Okta:

IdP Issuer: http://[host]/auth/realms/[realmname]
IdP Single Sign-On URL: http://[host]/auth/realms/[realmname]/protocol/saml
HTTP Post Binding ON
Request Signature ON
Validation Request or Assertion
SHA-256 (because it’s better)
Destination http://[host]/auth/realms/[realmname]/protocol/saml
ACS URL to Organization

From there, export the metadata and import it as a new client in Keycloak
The client ID will be set correctly
Include AuthN statement ON
Sign Documents ON
RSA_SHA256
KEY_ID
Client Signature required ON
Force POST binding ON
NameID format (whatever was set in Okta)
Valid Redirect URI - Master SAML Processing URL - ACS POST - All set to https://[your octa tenant]/sso/saml2

Make sure the NameIDs match exactly in the request and response and make sure your Realmname doesn’t have any spaces in it.

I suspect something odd happened with the cert exchange. But once I did a pattern of
Export to Okta. Configure Okta ahead of configuring the client, export metadata, import as new client into Ketcloak and tweak, it worked a charm.

system · October 27, 2020, 11:26pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.