I have Keycloak 23.0.4 configured with ADFS (SAML) as an IDP.
The mappings are configured so that from ADFS I receive data about email, first name, last name, as well as which groups the AD user belongs to
There is also a Giltab CE login client.
After I click LOGIN SSO on the page, it redirects to ADFS web, where I enter the user’s AD credentials. Then it redirects to the Keycloak web page, with the error Failed to process response.
In the log file there is an error
“ERROR [org.keycloak.protocol.saml.SamlProtocol]
(executor-thread-948) failed:
org.keycloak.common.VerificationException:
Client does not have a public key.”
What could be the problem?
Client config (for Gitlab CE)
` "clientId": "services.my-corp.com/gitlab",
"name": "GitLab2",
"description": "GitLab integration with keycloak",
"rootUrl": "https://services.my-corp.com/gitlab",
"adminUrl": "https://services.my-corp.com/gitlab/users/auth/saml/callback",
"baseUrl": "/",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": true,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"https://services.my-corp.com/gitlab/users/auth/saml/callback"
],
"webOrigins": [
"https://258.260.299.283"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": true,
"protocol": "saml",
"attributes": {
"saml.force.post.binding": "true",
"saml.multivalued.roles": "false",
"post.logout.redirect.uris": "+",
"saml.server.signature.keyinfo.ext": "false",
"saml.signing.certificate": "MI2I-----------Bdf=",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
"saml.signing.private.key": "MI2Ies---------C1jls=",
"saml.allow.ecp.flow": "false",
"saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer": "CERT_SUBJECT",
"saml.assertion.signature": "true",
"saml.encrypt": "true",
"login_theme": "keycloak",
"saml.server.signature": "true",
"saml_idp_initiated_sso_url_name": "services.my-corp.com/gitlab",
"exclude.session.state.from.auth.response": "false",
"saml.artifact.binding.identifier": "sdsdcvJFzqwek=",
"saml.artifact.binding": "false",
"saml_force_name_id_format": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "true",
"display.on.consent.screen": "false",
"saml_name_id_format": "username",
"saml.onetimeuse.condition": "false",
"saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#"
},
ADFS config ``
`“alias”: “saml”,
“displayName”: “ADFS”,
“internalId”: “0959e193-54aa-44d6-a89e-ebd0dadcbf52”,
“providerId”: “saml”,
“enabled”: true,
“updateProfileFirstLoginMode”: “on”,
“trustEmail”: false,
“storeToken”: false,
“addReadTokenRoleOnCreate”: false,
“authenticateByDefault”: false,
“linkOnly”: false,
“firstBrokerLoginFlowAlias”: “first broker login”,
“config”: {
“hideOnLoginPage”: “”,
“validateSignature”: “true”,
“samlXmlKeyNameTranformer”: “KEY_ID”,
“signingCertificate”: “sdiuvhbdfkvjbdfhbIUH&*hKJBHDLSDjcnlsdvhnkjsdvbksdhbvksbhgksdjngkjdfghkdf”,
“postBindingLogout”: “true”,
“nameIDPolicyFormat”: “urn:oasis:names:tc:SAML:2.0:nameid-format:persistent”,
“postBindingResponse”: “true”,
“singleLogoutServiceUrl”: “https://adfs.my-company.com/adfs/”,
“backchannelSupported”: “true”,
“signatureAlgorithm”: “RSA_SHA256”,
“wantAssertionsEncrypted”: “false”,
“xmlSigKeyInfoKeyNameTransformer”: “CERT_SUBJECT”,
“useJwksUrl”: “true”,
“wantAssertionsSigned”: “false”,
“postBindingAuthnRequest”: “true”,
“forceAuthn”: “false”,
“singleSignOnServiceUrl”: “https://adfs.my-company.com/adfs/”,
“wantAuthnRequestsSigned”: “true”,
“addExtensionsElementWithKeyInfo”: “false”,
“encryptionPublicKey”: “kehbcsuybisdyhvduvlsdvjxlcvjliG&#&ghuhfnldjvnxcljvnxcjkvnNIYHFIUHDOHLKJVLKJVLKCJVLKXJCVLKJXCVLKJCLVKJLC” }``
`
I tried to configure idp, client`