Okta IDP with keycloak as Service Provider giving 405 Method not allowed error

[suchitsancheti]

Describe the bug

I am trying to configure an IDP initiated login with keycloak as Identity Broker.

I have done the following configuration:

Keycloak:

1. Created a SAML v2.0 Identity Provider in keycloak realm Redirect URI: https://abc.xyz.com/auth/realms/my-realm/broker/okta/endpoint Alias: okta Enabled: On First Login Flow: first login flow Sync Mode: Import Service Provider Entity ID: okta Single Sign-On Service URL: https://abc.okta.com/app/xxxxxx/xxxxxx/sso/saml NameID Policy Format: Email Principal Type: Subject NameID HTTP-POST Binding Response: On HTTP-POST Binding for AuthnRequest: On

2. Created a SAML client in Keycloak Client ID: okta Name: okta Enabled: On Client Protocol: saml Name ID Format: email Master SAML Processing URL: https://abc.xyz.com/auth/realms/my-realm/broker/okta/endpoint IDP Initiated SSO URL Name: okta

3. Created an app in Okta Single Sign On URL: https://abc.xyz.com/auth/realms/my-realm/protocol/saml/clients/okta Audience Restriction: okta Name ID Format: EmailAddress

When I am hitting the app in Okta, its giving the An internal server error has occurred error. On close observation, I found that the SAML response using a POST method on the https://abc.xyz.com/auth/realms/my-realm/protocol/saml/clients/okta is giving 405Method not allowed error.

Version

15.1.0

Expected behavior

Login from IDP like Okta should be able to open the application

Actual behavior

The SAML request when hitting the keycloak endpoint giving the 405 Method not allowed error

How to Reproduce?

Keycloak:

1. Created a SAML v2.0 Identity Provider in keycloak realm Redirect URI: https://abc.xyz.com/auth/realms/my-realm/broker/okta/endpoint Alias: okta Enabled: On First Login Flow: first login flow Sync Mode: Import Service Provider Entity ID: okta Single Sign-On Service URL: https://abc.okta.com/app/xxxxxx/xxxxxx/sso/saml NameID Policy Format: Email Principal Type: Subject NameID HTTP-POST Binding Response: On HTTP-POST Binding for AuthnRequest: On

2. Created a SAML client in Keycloak Client ID: okta Name: okta Enabled: On Client Protocol: saml Name ID Format: email Master SAML Processing URL: https://abc.xyz.com/auth/realms/my-realm/broker/okta/endpoint IDP Initiated SSO URL Name: okta

3. Created an app in Okta Single Sign On URL: https://abc.xyz.com/auth/realms/my-realm/protocol/saml/clients/okta Audience Restriction: okta Name ID Format: EmailAddress

   Click on the app tile in Okta and the error can be reproduced

Anything else?

No response

[suchitsancheti]

Can anyone help here?

[mposolda]

Thanks for the report, but unfortunately due the amount of other reported issues and other priorities, Keycloak team does not have time to properly triage this bug. So preliminary added to Backlog for now. It will be helpful if:

• You can verify if still applicable in latest Keycloak released version. If not, then it is welcome to close this issue.
• If you figure that this may not be a valid bug (for example just a mistake in configuration etc), it will be also welcome to close this issue
• If still applicable in latest version, it will be welcome to add the comment as well, that this was still reproduced with latest Keycloak version as it is very valuable info. Anyone is welcome to comment with this or add other relevant comments to this issue.

[TechColumn]

Any update on this issue? Facing 405 issue for us as well.

[524c]

Thanks for the report, but unfortunately due the amount of other reported issues and other priorities, Keycloak team does not have time to properly triage this bug. So preliminary added to Backlog for now. It will be helpful if:

• You can verify if still applicable in latest Keycloak released version. If not, then it is welcome to close this issue.
• If you figure that this may not be a valid bug (for example just a mistake in configuration etc), it will be also welcome to close this issue
• If still applicable in latest version, it will be welcome to add the comment as well, that this was still reproduced with latest Keycloak version as it is very valuable info. Anyone is welcome to comment with this or add other relevant comments to this issue.

I can confirm that the bug occurs on v21.1.2, running on my k8s cluster.

[mkopeyka]

I faced the same issue. Try to use this url in OKTA as Single sign-on URL

https://abc.xyz.com/auth/realms/my-realm/broker/<idp-alias>/endpoint/clients/<idp-alias>

[rmartinc]

I don't know about okta but for configuring a saml identity provider you don't need any client in keycloak. You just need to create the identity provider in keycloak (acting as SP) and the client (or whatever name the IDP is using to designate SP clients) in okta (acting as IDP). I found a guide here https://ultimatesecurity.pro/post/okta-saml/ although I have not tested it. It's always better to use the metadata url of the IDP to configure the identity provider in keycloak as that guide is doing. The guide is not getting the certificates used by keycloak to sign requests (in the identity provider there is a SP metadata the okta IDP can use to see our certificates).

[rmartinc]

I'm closing this because we need more information with messages exchanged and so on and so forth. My feeling is that something is not configured OK in one of the sides. Fell free to re-open or file a new issue if you have more data to share.