This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Request was from an untrusted provider NAM

Hi, I'm trying to setup SSO SAML from Keycloak and NAM. In my keycloak admin console I have imported the metadata.xml of the NAM related environment (given to me from my organization) and I have set all the fields and stuff needed to connect my keycloak client with NAM IdP.  I have downloaded the sp-metadata.xml

For the NAM Side my colleague have created a service application with my keycloak url and name, and he added my sp.metadata.xml for connecting keycloak client with NAM IdP.

Now, when I try to login into my application I'm able to insrrt credentials into keycloak login page but when I click on "Login" button I'm redirect to a page of my organization with this error message "Request was from an untrusted provider" (pic for better understanding).

I have created a new docker container with cert.pem and key.pem get from keystore.jks of the organization but the error is still here

I don't know if the problem was from my keycloak client or NAM IdP

I hope my question is clear, thanks for the help

Parents
  • 0  

    Hi!

    NAM reports this error when configuration in NAM is not in line with SAML request sent from Service Provider (Keycloak in your example).

    To help you further with troubleshooting you would need to:

    • send actual SAML request (you can install a browser plugin like SAML-tracer)
    • show us how NAM is configured (e.g. screenshot of metadata tab when looking at service provider configuration)

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Hi, Sebastian thanks for the answer. I have installed SAML-tracer and I will put here the request.

    For the NAM side I don't know If i can get a screenshot because is managed from other team.

    I will update my answer with SAML request when I can try again, thanks!!

  • 0   in reply to 

    Hi Felice!

    SAML request is only half of the information needed to solve this, because SAML request must be in line with NAM configuration. And since federation does not work, request is obviously not in line with NAM configuration.

    Or to rephrase, to make this federation work, other team will most likely need to change NAM configuration. And in order to tell you what to change in NAM I would need to see how it is currently configured.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Hi Sebastian!

    I'm waiting for the answer from NAM team, we have checked the metadata.xml that I sent them, entityID and ID are equals, so I think the problem could depends from the certificate of my Keycloak(?) I don't know.

    I will update my answer asap after response of the team, thanks

  • 0 in reply to 

    Hi Sebastijan, how I can get you saml-tracer.json file? NAM team give to me some info, the problem could be related to my sp-metadata.xml but I don't know where the problem is.

    I have tried to upload you these file but this forum give spam error if there are 2 links inside answer, thanks for the help.

  • 0   in reply to 

    Hi Felice!

    It is good that you were not able to upload saml-tracer.json file, since there might be some sensitive data you don't want to share with the rest of the world. It would be enough to just post a screenshots SAML request where we could see decoded SAML message (SAML tab in screenshot below) and parameters (Parameters tab):

    Also can you share your sp-metadata.xml? And maybe info what your NAM team thinks it is wrong?

    //s

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Hi Sebastijan!

    I upload you my SAML request and parameters tab as you said. Also I add my sp-metadata.xml

    My NAM team said that is something wrong with my .xml but I have analyze the file many times but I can't see anything that could be a problem. Thanks for your help, I very appreciate it!!!

    <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="Genertel-Mobilitu-MCCTestlocale" ID="ID_19d8bc68-2ce9-4185-b580-741f3ebdb7c8">
    
    <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="false">
    
    <md:KeyDescriptor use="signing">
    
    <ds:KeyInfo>
    
    <ds:X509Data>
    
    <ds:X509Certificate>MIID2TCCAsGgAwIBAgIEYRYo0TANBgkqhkiG9w0BAQsFADCBqjELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB1RSRVZJU08xGDAWBgNVBAcMD01PR0xJQU5PIFZFTkVUTzEuMCwGA1UECgwlR0VORVJBTEkgT1BFUkFUSU9OQUwgUExBVEZPUk0gU0VSVklDRTEgMB4GA1UECwwXUFJFU0lESU8gSU5GUkFTVFJVVFRVUkExHTAbBgNVBAMMFFNJR05BVFVSRV9JRFBfU1RTX0NBMB4XDTIxMDgxMzA4MDk1M1oXDTQwMTIzMTIyNTk1OVowgbExCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdUUkVWSVNPMRgwFgYDVQQHDA9NT0dMSUFOTyBWRU5FVE8xLjAsBgNVBAoMJUdFTkVSQUxJIE9QRVJBVElPTkFMIFBMQVRGT1JNIFNFUlZJQ0UxIDAeBgNVBAsMF1BSRVNJRElPIElORlJBU1RSVVRUVVJBMSQwIgYDVQQDDBtTSUdOQVRVUkVfSURQX1NUU19DRVJUXzIwMjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGzNLGiiRu8q2PIup6CpHF4QPb7gizpjiGVIE0eTWUZv5jWpq7CSUydfJL0wNzK4wKlkDPCKLpLgvKgDTWqOE0sTdtF2vjJp9/i2NIsVuGzFOUfBIecMj2Lps9HCdZAm5R1aN6P2pY0EYZYvxpV1ez9AYZsKk0V3L/hCdpn4TxPfDt422PJf/RrzZACEHojKSpYBNuTXMiZodoeU5iWGae07rfQf65owkgnYuYLwq1s2yCO0PtHF3aKu41Z4ptj7SGAep7l4mgqMvq3R+FsOIqETzJpDK1AfKRvuucs81PtHSAeBDh2wLReERIZc+VEYzib6J/uM0MRkuSR+Oef/oTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABjN5dNrxfpGQLuRVD7BncT36HUvC7NU7/lnuiYWm1MbeAPN8gj8ImIsjRid15TjuxRbwuvjtidfRU4hMvfqDCkZ0aJ53omnwYzVIF6+8OomAf8hzx+I57QS4vUa3J3roX9zehwBtXUdMygG8qnQZE4Ps+3MOhFH1dYS9fpcl2zn3CFX08AJgwcbnslOO7nIygQlLRDzHaNn/3CTuBdunNOhQgMA4uWJTesRw519LnfKUDbgctZNXBvTec4wjaYJQ4bobo0faRYMwxueCImF8ZKKOaMTj4RoNLJ/MNYWH8kTlLpLEl3z2TdqIx+JSXw553AIMw7TDufUUk/5r+GNIxM=</ds:X509Certificate>
    
    </ds:X509Data>
    
    </ds:KeyInfo>
    
    </md:KeyDescriptor>
    
    <md:KeyDescriptor use="encryption">
    
    <ds:KeyInfo>
    
    <ds:X509Data>
    
    <ds:X509Certificate>MIIFKzCCBBOgAwIBAgIkAhwR/6Up9csAOybkZCpJokMt0uZNVp8zvX9YH04dAgIWDRx3MA0GCSqGSIb3DQEBBQUAMDQxGjAYBgNVBAsTEU9yZ2FuaXphdGlvbmFsIENBMRYwFAYDVQQKFA1uYW1kYmMwM190cmVlMB4XDTEzMDkwMzEwMTMxOFoXDTIzMDkwMzEwMTMxOFowQzEYMBYGA1UEAxMPdGVzdC1lbmNyeXB0aW9uMRYwFAYDVQQLEw1hY2Nlc3NNYW5hZ2VyMQ8wDQYDVQQKEwZub3ZlbGwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyxYFDDM3N4GytOoie85BO4vHgUD63t7zMk+OHjbzFtksww54ww//pN40AQD5qekWlGi81XHCiBrIM8/Fbk+EXERqBe2lHfwxkavIWbDldX+UvzYMYzzy1DdWNMQO+oR0eFR1Wdifux5wLJdLcHt9IYnZlpZzssKkqfHSymiKMDC2PYfWcrNpyh1oF2QyU5p0V6H8wopY+otf2x0iQPhuilYTOch8UdZ0lCYTBG0ySPUC0mNapFG1Y9IRB4KQFGzShL80e2IrORnMrxLh6pnEdKjQuXMWi5aFFkjBBNmyBnFb+00Uv8BrGTJ9hrCKA9KLaxowimmFw6SGPKeS+/lKzAgMBAAGjggIUMIICEDAdBgNVHQ4EFgQU8dQ+EHML+ux838rrZnP++ibcCiAwHwYDVR0jBBgwFoAUQl7vGaNJsjxCcL6Yggd7GBvxFr4wggHMBgtghkgBhvg3AQkEAQSCAbswggG3BAIBAAEB/xMdTm92ZWxsIFNlY3VyaXR5IEF0dHJpYnV0ZSh0bSkWQ2h0dHA6Ly9kZXZlbG9wZXIubm92ZWxsLmNvbS9yZXBvc2l0b3J5L2F0dHJpYnV0ZXMvY2VydGF0dHJzX3YxMC5odG0wggFIoBoBAQAwCDAGAgEBAgFGMAgwBgIBAQIBCgIBaaEaAQEAMAgwBgIBAQIBADAIMAYCAQECAQACAQCiBgIBFwEB/6OCAQSgWAIBAgICAP8CAQADDQCAAAAAAAAAAAAAAAADCQCAAAAAAAAAADAYMBACAQACCH//////////AQEAAgQG8N9IMBgwEAIBAAIIf/////////8BAQACBAbw30ihWAIBAgICAP8CAQADDQBAAAAAAAAAAAAAAAADCQBAAAAAAAAAADAYMBACAQACCH//////////AQEAAgQR/6UpMBgwEAIBAAIIf/////////8BAQACBBH/pSmiTjBMAgECAgEAAgIA/wMNAIAAAAAAAAAAAAAAAAMJAIAAAAAAAAAAMBIwEAIBAAIIf/////////8BAQAwEjAQAgEAAgh//////////wEBADANBgkqhkiG9w0BAQUFAAOCAQEAeNsTsoaKt8JpdY+SE1fU5tDlOFHWpIVGuyQdw6JoYWtQfPCDdhhDZ59NngeQ143DodIaUKJei/Ur8iLupkzlRbnFDO0w9wBhNkupHldNtxE1DFH7na+D+h45lAU+tZvbwr5l6jINyK0lY16KJ1kLhY6dw4E2/pLFw3fZ96FRTXuIpHychZEveKAgZeBKALpzyMqFX/031WfIQtIpGfFUsFhWgLgdotMDNur9u5swbIxenKBMpc6CuPQollSNQElkUYTFnOzp/9rsNjGgMvQFJGZji+F8mWrY8oxh+afdRGgx46B9St3+fZXRkHQWGkVtUgfq83LCOOdCGDsuZNdkGQ==</ds:X509Certificate>
    
    </ds:X509Data>
    
    </ds:KeyInfo>
    
    </md:KeyDescriptor>
    
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://signin.aws.amazon.com/saml"/>
    
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://loginidmcert.generali.it/nidp/saml2/spassertion_consumer" isDefault="true" index="1"/>
    
    </md:SPSSODescriptor>
    
    </md:EntityDescriptor>

  • 0   in reply to 

    Hi!

    Ok, something in your information does not add up.

    Is Keycloak acting as SP (application that needs authentication from external source - e.g. NAM) or is acting as IdP (Identity provider that provides authentication to NAM)?

    If Keycloak is acting as SP then SAML request is wrong, because SP should send samlp:AuthnRequest but you are sending samlp:Response.

    If Keycloak is acting as as IdP then provided Keycloak's metadata is wrong, because it has SPSSODescriptor which is used to describe SP and not IdP.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Hi!

    Keycloak should be act like a proxy (identity broker). Shall me explain, my users use keycloak to log into NAM, after successfull login they will be redirect on keycloak again to go on AWS console.

    I don't know if I need to setup keycloak as SP or not for getting this type of flow that I explained.


    The team said that NAM is the IdP, Keycloak is a client for NAM, and AWS is a client for keycloak.
    I'm stuck in the comunication between NAM and Keycloak and I don't know how to go on.


    I'm reading this  www.keycloak.org/.../ to get some information.
    Any help is very appreciated!

    Thanks

  • 0 in reply to 

    Hi Sebastijan!

    I have configure an IdP in Keycloak with NAM.xml file, now I'm able to go on the NAM page for login without any error but I have a question.

    I don't know If you can answer but in Keycloak client for loggin to aws I have configured three mappers as explained here https://neuw.medium.com/aws-connect-saml-based-identity-provider-using-keycloak-9b3e6d0111e6

    I have checked my SAML response from NAM (I think) and this mappers/attribute are missing. My question is: I need to said to NAM team to configure these 3 attributes, right?

    Because my other colleagues have shared with me a SAML reponse that contains an attribute configured NAM side.

    Thanks, I hope it is clear

Reply
  • 0 in reply to 

    Hi Sebastijan!

    I have configure an IdP in Keycloak with NAM.xml file, now I'm able to go on the NAM page for login without any error but I have a question.

    I don't know If you can answer but in Keycloak client for loggin to aws I have configured three mappers as explained here https://neuw.medium.com/aws-connect-saml-based-identity-provider-using-keycloak-9b3e6d0111e6

    I have checked my SAML response from NAM (I think) and this mappers/attribute are missing. My question is: I need to said to NAM team to configure these 3 attributes, right?

    Because my other colleagues have shared with me a SAML reponse that contains an attribute configured NAM side.

    Thanks, I hope it is clear

Children
  • 0   in reply to 

    Hi! Glad you make federation work. 

    My question is: I need to said to NAM team to configure these 3 attributes, right?

    Yes, NAM team needs to configure which attributes are sent in SAML response back to you.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Hi!

    NAM team have mapped three LDAP attributes such as cn (that contains my username) and mail that obviously contains my mail, I can see that in my SAML Response, but when I analyze the saml response to log into AWS the attributes are missing.

    I need to create a mappers in keycloak to match the LDAP attributes? Or I need to do something different?

    Thanks for the help

  • 0 in reply to 

    mappers should not be necessary.

    Be sure to configure the "NameID policy format" the same on both keycloak and NAM (I've had success with "Unspecified")

    and also the "Principal Type" of keycloak has to be set to "Subject NameID"

    The signing certificate of NAM (without the ---start certificate--- and ----end certificate ----- parts) should be in the field "Validating X509 certificates" of keycloak