Solved: Keycloak and SAML - Validation error - Qlik Community

LorisLombardo87 · ‎2024-05-21

Hi everybody,

after unsuccessfully tried to implement JWT for authorization we are now trying with SAML and Keycloak.

we have followed this article but when we try to validate it gives back the following error

if i look at the SAML assertion i can see the attributes are there:

is there anything I can check to verify if the SAML request is in the correct format?

Thanks,
Loris

LorisLombardo87 · ‎2024-05-30

Hi Marc,

it is configured like this.

BTW i'm not interested in groups or picture at the moment.

shall I leave that mapping blank?

also the error doesn't seem so refer to the group attribute but in general to the fact it cannot find the Attributes in the SAML assertion.

Thanks,
Loris

View solution in original post

Damien_V · ‎2024-06-25

Hi @LorisLombardo87

After investigation, we found out that this is due to Keycloak sending the "Role" attribute with different value several times instead of sent as an array, if you remove the Role attribute from the SAML response in Keycloak then it should work.

If the issue is solved please mark the answer with Accept as Solution.

View solution in original post

Marc · ‎2024-05-22

Can you compare your configuration in Keycloak and Qlik Cloud against the details in the following article?
https://community.qlik.com/t5/Official-Support-Articles/Qlik-Cloud-How-to-set-up-Keycloak-as-a-SAML-...

of course if you are using Keycloak you could use OIDC

LorisLombardo87 · ‎2024-05-24

Hi Marc, that is exactly how we have done the settings in Keycloak.
we have tried OIDC as well, in that case it gives a First certificate issue, which i'm not sure what it is referring to.

please consider that our Keycloak in publicly available and it's certificate is a valid one.

thanks,
Loris

Damien_V · ‎2024-05-24

@LorisLombardo87

Here is a full SAML response that is working (also keycloak), can you check if there is any obvious difference with yours?

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                Destination="https://xxxx.ap.qlikcloud.com/login/saml"
                ID="ID_9f3319ec-744e-47ba-b375-d817ed377e58"
                InResponseTo="Qlik_d8e89790-0499-4088-a707-28bd5b550f62"
                IssueInstant="2024-03-10T14:21:33.658Z"
                Version="2.0"
                >
    <saml:Issuer>https://qlikserver2.domain.local:8443/realms/master</saml:Issuer>
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <dsig:SignedInfo>
            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <dsig:Reference URI="#ID_9f3319ec-744e-47ba-b375-d817ed377e58">
                <dsig:Transforms>
                    <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </dsig:Transforms>
                <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <dsig:DigestValue>2L3+Qnr4G5TLM+pSIPGH3J1Fdo/lCXK/ZIUn2TWDzOw=</dsig:DigestValue>
            </dsig:Reference>
        </dsig:SignedInfo>
        <dsig:SignatureValue>yvrhk1D2HUpvDRPu0eF2EZkpHN+Neh2ee7Wg8qaf+IFVtgyXc5PFjVnOUgljIJ5BriKCVNk49l34sx4sbtR28bbo3m3n+4BFpX5bQOwZumODLDZoPL01jXo4xQZzYtVwsNgpSkaryYnYctAsjAweMSSeyFWOlRkGyUepu+pELUOPgDkRsdvvPmdCTAL6tpxExTGPSQvbdOrTH8gSxZTGiIRMfhDUlY7cFY+ccwkwx7yFmk+uP+HX+Ps9kESF3sNto2rHBuUf4oawG27YorwZDaQAGKjQIDqld0JiBTePnLe97zJ+zxXk3q6hOuMgzumogTsMIMd1qH8Zo841LllN7g==</dsig:SignatureValue>
        <dsig:KeyInfo>
            <dsig:X509Data>
                <dsig:X509Certificate>MIICmzCCAYMCBgGOJwIcfTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwMzEwMDYxNTMzWhcNMzQwMzEwMDYxNzEzWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxUlDlvWTSHaBiDS6A0msG95YwAHl1Yx9fn1htwhKiI9prop4piaAnqrCqtXfLdvIWKfeToYhvT2Lmu6t63bYGDfRvrYoEMTBkxdvlYbTQSKEALbFgrsqcRzZCP7cjszIN4uDBNHjWCMGkyoYqOlJbDZVnG3ZNHYiyNTfjLBMOL7FAgcL8w+/G5CfNiDdh3QXUauNIh8QsZkNNS2FEjGKEQcvYhDFXTwozAFVbrnXrbUZai2HMUX9+LlKR33vJAbNkyPW10vNZy31bSas/054iN7Fch00w2Sd+HNCRhlZvwcc8pKKMwDXCrPIbZC4qfxDtDEra6ACVwlWgrk8eVF01AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAOBHGsNGz3p7Os1ANso03JBDcjrlAqMDKW1+WC1lSg6kIYDNGJAtCCLfN/kG2kdUyBb27khO2uCKEWFnAofIcD4zL5g8n0V6WXwnr0MDa3cTnyquVWAhcRh32eVeP8ewijER3wJdMAc/OyC9VzJZlDGVAHEtlfr6mTCoPNIa5NlfwiGHFcIJz+OsgokAhYMEMzF00qC3AGBY7bIHwc8bgp1jCSffTwl3y47BRxNYb2LmlJ33jYrvANeLVrAPteV1uhvDhZckzaUXDEOakG4skFxpZPuZnLxEgmdS9+EKhS5Ivc+fVlFWS5AyT0sENqO2EYRaT8BMG0BZqOWBOWycKBs=</dsig:X509Certificate>
            </dsig:X509Data>
        </dsig:KeyInfo>
    </dsig:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="ID_539dfb0a-703c-4c5d-9e54-a040167c7167"
                    IssueInstant="2024-03-10T14:21:33.658Z"
                    Version="2.0"
                    >
        <saml:Issuer>https://qlikserver2.domain.local:8443/realms/master</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">G-5dbff66b-31d5-4060-8307-4267d731c370</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="Qlik_d8e89790-0499-4088-a707-28bd5b550f62"
                                              NotOnOrAfter="2024-03-10T14:22:31.658Z"
                                              Recipient="https://xxxx.ap.qlikcloud.com/login/saml"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2024-03-10T14:21:31.658Z"
                         NotOnOrAfter="2024-03-10T14:22:31.658Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>https://xxxx.ap.qlikcloud.com</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2024-03-10T14:21:33.658Z"
                             SessionIndex="26996a77-ed62-43b3-a301-7bee4f33ca12::8e0bf523-4f9e-4970-a0a9-099046787a6e"
                             SessionNotOnOrAfter="2024-03-11T00:21:33.658Z"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute FriendlyName="groups"
                            Name="groups"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >Group1</saml:AttributeValue>
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >Group2</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="email"
                            Name="email"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >user1@test.com</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

If the issue is solved please mark the answer with Accept as Solution.

LorisLombardo87 · ‎2024-05-29

Hi Damien, thanks for you support!

I've loaded the two SAML assertions into https://samltool.io/

here is the one you shared

here is mine:

I cannot see any major difference

can you see anything strange?

please consider that our Keycloak is publicly available and the SSL certificate is a valid wildcard certificated emitted by a valid trusted authority

Thanks,
Loris

Marc · ‎2024-05-30

can you please confirm how you have configured the settings in Qlik Cloud

as your saml does not appear to have groups, but roles

LorisLombardo87 · ‎2024-05-30

Hi Marc,

it is configured like this.

BTW i'm not interested in groups or picture at the moment.

shall I leave that mapping blank?

also the error doesn't seem so refer to the group attribute but in general to the fact it cannot find the Attributes in the SAML assertion.

Thanks,
Loris

Damien_V · ‎2024-06-10

Hi @LorisLombardo87

Since you mentioned you're not interested in groups, did you make sure that you have the "Group creation" option set to OFF in your tenant settings ?

If the issue is solved please mark the answer with Accept as Solution.

LorisLombardo87 · ‎2024-06-19

hi Damien, yes it is.

Loris

Damien_V · ‎2024-06-25

Hi @LorisLombardo87

After investigation, we found out that this is due to Keycloak sending the "Role" attribute with different value several times instead of sent as an array, if you remove the Role attribute from the SAML response in Keycloak then it should work.

If the issue is solved please mark the answer with Accept as Solution.

Keycloak and SAML - Validation error

Integration

SaaS