caddy-security
caddy-security copied to clipboard
greenpau
breakfix: SAML integration with Keycloak
Describe the issue
Trying to use SAML with Keycloak as IdP, authentication is valid and SAMLResponse is valid but caddy reports failed to ParseXMLResponse: Authentication failed
Configuration
Paste full Caddyfile below:
{
debug
servers {
trusted_proxies static 0.0.0.0/0
}
order authenticate before respond
order authorize before basicauth
security {
saml identity provider keycloaksaml {
realm keycloaksaml
driver generic
idp_metadata_location /etc/caddy/descriptor.xml
idp_sign_cert_location /etc/caddy/cert.pem
idp_login_url https://xxxh/auth/realms/xxx/protocol/saml/clients/caddy
application_name "Caddy Auth Test"
application_id "caddy-saml"
entity_id "https://xxx/auth/realms/xxx"
acs_url http://web.test.svc.cluster.local/auth/saml/keycloaksaml
}
authentication portal authz_proxy_portal {
crypto key sign-verify {env.CRYPTO_KEY}
# enable identity provider keycloak
enable identity provider keycloaksaml
cookie lifetime 3600
cookie samesite lax
cookie insecure on
transform user {
match realm keycloaksaml
action add role authp/user
}
}
authorization policy default_authz_policy {
#disable auth redirect query
set auth url /auth/saml/keycloaksaml
crypto key verify {env.CRYPTO_KEY}
allow roles authp/user
}
}
}
:80 {
root /opt/www
log {
output stdout
format transform "{common_log}"
}
route /auth/* {
authenticate with authz_proxy_portal
}
route {
authorize with default_authz_policy
templates
try_files {path}.html
file_server
}
}
Version Information
Provide output of caddy list-modules --versions | grep -E "(auth|security)" below:
http.authentication.hashes.bcrypt v2.10.2
http.authentication.providers.http_basic v2.10.2
http.handlers.authentication v2.10.2
tls.client_auth.verifier.leaf v2.10.2
http.authentication.providers.authorizer v1.1.31
http.handlers.authenticator v1.1.31
security v1.1.31
Expected behavior
Authentication succeeds
Additional context
Log
{"level":"debug","ts":1757062091.427172,"logger":"security","msg":"token validation error","session_id":"qT8t9Y0RavQgc96sxTtYk6iOBmL3FBKcR43WF8BgJqBfo","request_id":"5bc20653-9491-48ec-a0f2-d02c54ceceed","error":"no token found"}
{"level":"debug","ts":1757062091.4272056,"logger":"security","msg":"redirecting unauthorized user","session_id":"qT8t9Y0RavQgc96sxTtYk6iOBmL3FBKcR43WF8BgJqBfo","request_id":"5bc20653-9491-48ec-a0f2-d02c54ceceed","method":"location"}
{"level":"error","ts":1757062091.4272242,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=10.2.1.149, src_conn_ip=10.2.1.149, reason: no token found"}
10.2.1.149 - - [05/Sep/2025:08:48:11 +0000] "GET / HTTP/1.1" 302 5
{"level":"debug","ts":1757062091.42728,"logger":"http.log.error.log0","msg":"not authenticated","request":{"remote_ip":"10.2.1.149","remote_port":"57314","client_ip":"10.2.1.149","proto":"HTTP/1.1","method":"GET","host":"web.test.svc.cluster.local","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7"],"Upgrade-Insecure-Requests":["1"],"Referer":["http://web.test.svc.cluster.local/auth/saml/keycloaksaml"],"Cookie":["REDACTED"],"Connection":["keep-alive"]}},"duration":0.000104178,"status":401,"err_id":"ie98j5m1k","err_trace":"caddyauth.Authentication.ServeHTTP (caddyauth.go:99)"}
{"level":"debug","ts":1757062091.4740946,"logger":"security","msg":"redirect recorded","session_id":"qT8t9Y0RavQgc96sxTtYk6iOBmL3FBKcR43WF8BgJqBfo","request_id":"7b8932e4-96aa-42ed-babd-bfd4257d620a","redirect_url":"AUTHP_REDIRECT_URL=http://web.test.svc.cluster.local/; Domain=test.svc.cluster.local; Path=/; Max-Age=3600; SameSite=Lax;"}
{"level":"debug","ts":1757062091.4742203,"logger":"security","msg":"External login requested","session_id":"qT8t9Y0RavQgc96sxTtYk6iOBmL3FBKcR43WF8BgJqBfo","request_id":"7b8932e4-96aa-42ed-babd-bfd4257d620a","base_url":"http://web.test.svc.cluster.local","base_path":"/auth/","auth_method":"saml","auth_realm":"keycloaksaml","request_path":"/auth/saml/keycloaksaml"}
{"level":"debug","ts":1757062091.4742584,"logger":"security","msg":"Redirect to authorization server","session_id":"qT8t9Y0RavQgc96sxTtYk6iOBmL3FBKcR43WF8BgJqBfo","request_id":"7b8932e4-96aa-42ed-babd-bfd4257d620a","url":"https://xxx/auth/realms/xxx/protocol/saml/clients/caddy"}
10.2.1.149 - - [05/Sep/2025:08:48:11 +0000] "GET /auth/saml/keycloaksaml?redirect_url=http%3A%2F%2Fweb.test.svc.cluster.local%2F HTTP/1.1" 302 89
{"level":"debug","ts":1757062092.7866983,"logger":"security","msg":"External login requested","session_id":"qT8t9Y0RavQgc96sxTtYk6iOBmL3FBKcR43WF8BgJqBfo","request_id":"c9ccb6d3-9824-42c4-9fa8-a5419f9e1be8","base_url":"http://web.test.svc.cluster.local","base_path":"/auth/","auth_method":"saml","auth_realm":"keycloaksaml","request_path":"/auth/saml/keycloaksaml"}
SAML Response
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="http://web.test.svc.cluster.local/auth/saml/keycloaksaml"
ID="ID_ffb29efb-fdff-43b1-80f5-cdce55b083bc" IssueInstant="2025-09-05T08:39:51.778Z"
Version="2.0">
<saml:Issuer>https://xxx/auth/realms/xxx</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<dsig:Reference URI="#ID_ffb29efb-fdff-43b1-80f5-cdce55b083bc">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<dsig:DigestValue>FBERr5WJuU0ghTCA+1odXZRCpIrr4fMw2RJkQCl91jI=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>
ZLTFHA/EuIFlEzTDzaD4SZiF+zmHFNJVKkmEftAWbo0JTXzlibVLXOr4naN8XL2LGKAUY5N0JiMgqo9feskhE9TfKY7kLDWQiK1KHzEQO/T7fC//yV54i0S4G3XlThZGqibJGB96Kh24iKfOgX9GTgsY9BT5mehGIm5Sfp7XLfUwmYeLREZrK8qIgkJUK/LZHxo1iE8QAOUtsy3Wvk9ZuAUhLfBd1d4WPMBbrC8u6cDW3mzOzgv5hIJnxuUlSAlsP7uAzcsmRN+4As/Egrd78EBRMuoHfxoBykp/vTQRmlCx7c3pM0UuOUi6hZCx0ovtVk3z7d8/tllcOlIp0N26Gw==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>L2GoMcKbzJpUwY_XsJzA1SuH06bBDuWXOxfIWrfA900</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>
MIIClTCCAX0CBgF4JwNynzANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDANEb0swHhcNMjEwMzEyMTUxNTQwWhcNMzEwMzEyMTUxNzIwWjAOMQwwCgYDVQQDDANEb0swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCM6rntEZE2rRe15gqSpDagzVJg6nTqCAFdaaUyJq94/nJJicZJGhHpP745ky8I4VW+VtGWIcoA+83at6bjv4Q8SmyC7qaVhhzitffKhNSB3wb6QfjpXWmxZ+48YeAAOxdYr7zFI9BqvL9AxGnAis8mT7sXkE/KjtvmiK9yEx0rG/eAgqJ0WUZIT/zgP2k6+m/AIrQAGPL1JVcG8Qs7DNrtCg45enmk9wRBVDJURIq+B09cd2lvtYK4Afkzqr6DtYjWQqqDgVXZc56VpILaa65H0q5xjv4coqWtvWX+CGq1mgeYD/K8An2M2kIUErYbv11+6sNDc6teGX2YZKnZxEitAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAA3EuEa9D9/QCQ8xnRXV3bflhq4+k+4NysQ5AyRWVqk16P9DYwx6RrneSdNsJedKvZMaf9Vjw5lqy0xNp2SUMWWoaCdI8kAjU//6QhU2i4/lCRGD8mAcDQSoog2JV/FuivWTSa5TSw6REqPX1pL8/OKmTv/7XuU88+TcnzISJ9wCcWigSuiU1nih5tXgz+ZK10Q6gIwxmQ6QqfqfPcAxCziT58Qaoxv/3mk4JyhzzmqGwNRB8UOcK4OE8c2hmlZLftFIKWUvcCgnIUIa/iSfaWJgSEHjRYRv6Z5JxQ6Dwv2faIpP2weivsGIpSaNlcrBtBOAvd/0Fn4M0hOVtYoPyRE=</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>
jOq57RGRNq0XteYKkqQ2oM1SYOp06ggBXWmlMiaveP5ySYnGSRoR6T++OZMvCOFVvlbRliHKAPvN2rem47+EPEpsgu6mlYYc4rX3yoTUgd8G+kH46V1psWfuPGHgADsXWK+8xSPQary/QMRpwIrPJk+7F5BPyo7b5oivchMdKxv3gIKidFlGSE/84D9pOvpvwCK0ABjy9SVXBvELOwza7QoOOXp5pPcEQVQyVESKvgdPXHdpb7WCuAH5M6q+g7WI1kKqg4FV2XOelaSC2muuR9KucY7+HKKlrb1l/ghqtZoHmA/yvAJ9jNpCFBK2G79dfurDQ3OrXhl9mGSp2cRIrQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_4a7c5506-ecd0-4b61-b2e8-035de07bdfad" IssueInstant="2025-09-05T08:39:51.777Z"
Version="2.0">
<saml:Issuer>https://xxx/auth/realms/xxx</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2025-09-05T08:44:49.777Z"
Recipient="http://web.test.svc.cluster.local/auth/saml/keycloaksaml" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2025-09-05T08:39:49.777Z"
NotOnOrAfter="2025-09-05T08:40:49.777Z">
<saml:AudienceRestriction>
<saml:Audience>caddy-saml</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2025-09-05T08:39:51.778Z"
SessionIndex="d48c066f-0ea1-419b-99d0-715127946c8c::b5b6a3d6-7b77-440a-ba7d-4297a94c59f6"
SessionNotOnOrAfter="2025-09-05T18:39:51.778Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">VAPP
User</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">VAPP
PowerUser</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
superuser</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">power
user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manager</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manage-account</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
impersonation</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
Administrator</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manager</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
view-profile</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
uma_authorization</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
query-groups</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
viewer</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manager</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manage-account-links</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
query-users</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
support</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manager</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
view-users</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
viewer</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">VAPP
Admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manager</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
offline_access</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
view-realm</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
@webfrank , no really, because i canβt replicate your environment. The parsing makes certain assumptions that seem to be not true in your environment. You would need to dive deep on this one.
Hi, the issue is with the parsing of SAMLResponse but the response is a valid SAMLResponse, generated by Keycloak and SAML integration with Keycloak works with DEX, for example. There should be something in the SAML parser lib which is breaking, can you investigate as I do not have the full knowledge of SAML?