search

p2-inc / idp-wizard

Identity Provider setup wizards for Keycloak
https://phasetwo.io
Other
1 stars 1 forks source link

[Bug?] Error creating Saml IdP. Please confirm there is no SAML configured already. #179

Closed MGLL closed 3 days ago

MGLL commented 1 month ago

Hello, I was trying to configure an Organization SSO issue IDP-Wizard with two localhost Keycloak for some testing but noticed a problem (using quay.io/phasetwo/phasetwo-keycloak:24.0.4).

Issue

Upon saving the a SAML configuration, I'm getting this error message:

image

But there is no Identity Provider and nothing assigned to the Organization originally.

Also,

image

image

image

image

Cause

The cause that I have identified seems to be linked to the process of creating the mappers (you can have a look in Details).

I noticed that it create the IDP under orgs/b7200cb6-2dbe-455e-947a-130df8ce6348/idps/generic-saml but all following requests for mapper creation use this orgs/b7200cb6-2dbe-455e-947a-130df8ce6348/idps/generic-saml-w6rpqiJNPdNi3zEX/mappers uri with this IDP generic-saml-w6rpqiJNPdNi3zEX alias.

But: generic-saml-w6rpqiJNPdNi3zEX IDP doesn't exists, it is generic-saml.

Is it a bug or is it some configuration issue?

Details

1- Create IDP

POST http://localhost:8081/auth/realms/emca/orgs/b7200cb6-2dbe-455e-947a-130df8ce6348/idps
Status: 201
Payload: 

{
    "alias": "generic-saml",
    "displayName": "SAML Single Sign-on",
    "providerId": "saml",
    "config": {
        "syncMode": "FORCE",
        "allowCreate": "true",
        "nameIDPolicyFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
        "principalType": "SUBJECT",
        "validateSignature": "true",
        "signingCertificate": "...HIDE...",
        "postBindingLogout": "true",
        "singleLogoutServiceUrl": "http://acme:8080/auth/realms/acme/protocol/saml",
        "postBindingResponse": "true",
        "idpEntityId": "http://acme:8080/auth/realms/acme",
        "loginHint": "false",
        "enabledFromMetadata": "true",
        "postBindingAuthnRequest": "true",
        "singleSignOnServiceUrl": "http://acme:8080/auth/realms/acme/protocol/saml",
        "wantAuthnRequestsSigned": "true",
        "addExtensionsElementWithKeyInfo": "false"
    },
    "trustEmail": false
}

Location Header: http://localhost:8081/auth/realms/emca/orgs/b7200cb6-2dbe-455e-947a-130df8ce6348/idps/generic-saml

2- Create mappers

POST http://localhost:8081/auth/realms/emca/orgs/b7200cb6-2dbe-455e-947a-130df8ce6348/idps/generic-saml-w6rpqiJNPdNi3zEX/mappers
Status: 404
Payload: 

{
    "identityProviderAlias": "generic-saml-w6rpqiJNPdNi3zEX",
    "config": {
        "syncMode": "IMPORT",
        "attributes": "[]",
        "attribute.name": "username",
        "attribute.friendly.name": "username",
        "user.attribute": "username"
    },
    "name": "username",
    "identityProviderMapper": "saml-user-attribute-idp-mapper"
}

POST http://localhost:8081/auth/realms/emca/orgs/b7200cb6-2dbe-455e-947a-130df8ce6348/idps/generic-saml-w6rpqiJNPdNi3zEX/mappers
Status: 404
Payload: 

{
    "identityProviderAlias": "generic-saml-w6rpqiJNPdNi3zEX",
    "config": {
        "syncMode": "INHERIT",
        "attributes": "[]",
        "attribute.name": "email",
        "attribute.friendly.name": "email",
        "user.attribute": "email"
    },
    "name": "email",
    "identityProviderMapper": "saml-user-attribute-idp-mapper"
}

POST http://localhost:8081/auth/realms/emca/orgs/b7200cb6-2dbe-455e-947a-130df8ce6348/idps/generic-saml-w6rpqiJNPdNi3zEX/mappers
Status: 404
Payload: 

{
    "identityProviderAlias": "generic-saml-w6rpqiJNPdNi3zEX",
    "config": {
        "syncMode": "INHERIT",
        "attributes": "[]",
        "attribute.name": "firstName",
        "attribute.friendly.name": "firstName",
        "user.attribute": "firstName"
    },
    "name": "firstName",
    "identityProviderMapper": "saml-user-attribute-idp-mapper"
}

POST http://localhost:8081/auth/realms/emca/orgs/b7200cb6-2dbe-455e-947a-130df8ce6348/idps/generic-saml-w6rpqiJNPdNi3zEX/mappers
Status: 404
Payload:

{
    "identityProviderAlias": "generic-saml-w6rpqiJNPdNi3zEX",
    "config": {
        "syncMode": "INHERIT",
        "attributes": "[]",
        "attribute.name": "lastName",
        "attribute.friendly.name": "lastName",
        "user.attribute": "lastName"
    },
    "name": "lastName",
    "identityProviderMapper": "saml-user-attribute-idp-mapper"
}

Here is the logs corresponding to the action, but no error is visible:

2024-06-03 11:16:43,718 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-0) Executed scheduled task PropagateLastSessionRefreshTask
2024-06-03 11:16:43,718 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper  commit
2024-06-03 11:16:43,718 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper end
2024-06-03 11:16:48,717 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) new JtaTransactionWrapper
2024-06-03 11:16:48,718 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) was existing? false
2024-06-03 11:16:48,718 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-0) Executed scheduled task PropagateLastSessionRefreshTask
2024-06-03 11:16:48,718 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper  commit
2024-06-03 11:16:48,718 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper end
2024-06-03 11:16:51,356 DEBUG [org.keycloak.models.cache.infinispan.RealmCacheManager] (jgroups-16,937114f0b29a-25790) [937114f0b29a-25790] Invalidating 2 cache items after received event RealmUpdatedEvent [ realmId=ae6994c6-082c-43d1-bc7e-e6eb3c57881a, realmName=emca ]
2024-06-03 11:16:51,356 DEBUG [org.keycloak.services.DefaultComponentFactoryProviderFactory] (jgroups-16,937114f0b29a-25790) Invalidating REALM: [ae6994c6-082c-43d1-bc7e-e6eb3c57881a]
2024-06-03 11:16:51,357 DEBUG [org.keycloak.services.DefaultComponentFactoryProviderFactory] (jgroups-16,937114f0b29a-25790) Invalidating REALM: [ae6994c6-082c-43d1-bc7e-e6eb3c57881a]
2024-06-03 11:16:53,718 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) new JtaTransactionWrapper
2024-06-03 11:16:53,719 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) was existing? false
xgp commented 1 month ago

This is a bug. It should use the whole name, including the generated part (e.g. orgs/b7200cb6-2dbe-455e-947a-130df8ce6348/idps/generic-saml-w6rpqiJNPdNi3zEX)

@pnzrr Can you look to see why the generic saml wizard isn't using the full path for the alias?