Alex Li Posted November 27 Posted November 27 In my environment, keycloak has mandatory security configuration. If the <SignatureValue> of the SAML Reqeust contains line breaks, authentication will fail. I tried adding "-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true" to "/opt/vmware/gateway/supervisor/conf/esmanager.ini", but it did not solve the problem; Saml Request captured by the browser <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://10.208.0.251/portal/samlsso" Destination="https://sso.ccut.edu.cn/realms/master/protocol/saml" ForceAuthn="false" ID="_8c7436fdf8b208e1678bf5fe87f2db24" IssueInstant="2024-11-27T03:52:01.963Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="portal" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://10.208.0.251/portal</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod> <ds:Reference URI="#_8c7436fdf8b208e1678bf5fe87f2db24"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod> <ds:DigestValue>A+C9aWbncDtUIhDRM1LmuAJ1ZuFzkN8GdEFcTUrU08s=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> fHJNAw1ce3CSz70ZIvaftwQyTXZF2zmq5muDYZwNZ6JieflRbNtIzaBAPuk7UAstdhjWVL9w2EOJ ffeKxUh/c1p/FXD8jWREcvSpezgOKsEw0qmfj0yOa2cvyr7sLM/SAHWzQS42hdXZ2WSTYMW7wNvt XLHVVxBgxdOEj1agrOqhn9tzbytFOzyaFKRzOPOVTjocoRrEdwR+xP+i8yCnzEWRrTXEFqdQxRWl limrvLrDFG56wVzz9QDm7hTdeTvStM9i7LLMlbawJ0L1wa4vGFa7sDcog+EgC96WldscQHmB7fbW W8+j6C+GEBcBojX2kkKNpPG93HuC4tkWToNeQw== </ds:SignatureValue> </ds:Signature> <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></saml2p:NameIDPolicy> </saml2p:AuthnRequest> Newline character "
" can be seen in keycloak log 2024-11-27 11:52:03,191 DEBUG [org.keycloak.protocol.saml.SamlService] (executor-thread-226) SAML POST 2024-11-27 11:52:03,191 DEBUG [org.keycloak.saml.SAMLRequestParser] (executor-thread-226) SAML POST Binding 2024-11-27 11:52:03,192 DEBUG [org.keycloak.saml.SAMLRequestParser] (executor-thread-226) <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://10.208.0.251/portal/samlsso" Destination="https://sso.ccut.edu.cn/realms/master/protocol/saml" ForceAuthn="false" ID="_8c7436fdf8b208e1678bf5fe87f2db24" IssueInstant="2024-11-27T03:52:01.963Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="portal" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://10.208.0.251/portal</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_8c7436fdf8b208e1678bf5fe87f2db24"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>A+C9aWbncDtUIhDRM1LmuAJ1ZuFzkN8GdEFcTUrU08s=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> fHJNAw1ce3CSz70ZIvaftwQyTXZF2zmq5muDYZwNZ6JieflRbNtIzaBAPuk7UAstdhjWVL9w2EOJ ffeKxUh/c1p/FXD8jWREcvSpezgOKsEw0qmfj0yOa2cvyr7sLM/SAHWzQS42hdXZ2WSTYMW7wNvt XLHVVxBgxdOEj1agrOqhn9tzbytFOzyaFKRzOPOVTjocoRrEdwR+xP+i8yCnzEWRrTXEFqdQxRWl limrvLrDFG56wVzz9QDm7hTdeTvStM9i7LLMlbawJ0L1wa4vGFa7sDcog+EgC96WldscQHmB7fbW W8+j6C+GEBcBojX2kkKNpPG93HuC4tkWToNeQw== </ds:SignatureValue> </ds:Signature><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></saml2p:AuthnRequest> 2024-11-27 11:52:03,195 DEBUG [org.keycloak.protocol.saml.SamlService] (executor-thread-226) ** login request
Solution Alex Li Posted December 1 Author Solution Posted December 1 I found a solution and the test passed, but I don't know if it will cause other problems. 1. Log in to Horizon UAG and go to: /opt/vmware/gateway/supervisor/conf directory; 2. Edit the esmanager.ini file; add "-Dorg.apache.xml.security.ignoreLineBreaks=true" 3. Restart the esamanger service; supervisorctl restart esmanager 4. Check whether the parameter is added; ps -ef|grep ignoreLineBreaks
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now