XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Keycloak : OIDC auth working but SAML fails with Internal Server Error or Invalid Requester

    Scheduled Pinned Locked Moved Xen Orchestra
    5 Posts 2 Posters 113 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dsmteam
      last edited by

      I was able to configure Keycloak with OIDC without any issue.
      We also have a working configuration SAML for our vcloud so we know our setup should be working.
      However with XOA we fail whatever the setting we use.
      If we use Client Signature and copy the public key in the approriate field in XOA we get Invalid Requester in Keycloak and Invalid_Signature error
      If we disable Client Signature, we reach the authentication page and can login, however when we are redirected to the /signin/saml/callback we get an Internal Server Error and in XO logs we have the following
      Feb 25 16:51:24 XEN-ORCHESTRA xo-server[49969]: Error: Invalid signature
      Feb 25 16:51:24 XEN-ORCHESTRA xo-server[49969]: at SAML.validatePostResponseAsync (/opt/xo/xo-builds/xen-orchestra-202501241022/node_modules/passport-saml/src/node-saml/saml.ts:792:17)
      Feb 25 16:51:24 XEN-ORCHESTRA xo-server[49969]: at processTicksAndRejections (node:internal/process/task_queues:95:5)

      I found a old topic of 2022 with someone being able to have it work with Keycloak but the user has not been active since then and did not indicated how he made it work.

      When I check the SAML request and Response, they all look fine and I can see my user shown in the field NameID.
      Only issue seems to be the expected signature in Xen-Orchestra.

      Couldn't find any guide for XOA & Keycloak online sadly.

      P 1 Reply Last reply Reply Quote 0
      • P Offline
        probain @dsmteam
        last edited by

        @dsmteam
        Make sure to enter a newline at the end of the certificate field.

        The SAML docs online are lacking. But I've written these instructions for Google Workspace SAML. Maybe this could help? And feel free to add to the docs if you happen to find a solution. 🙂
        https://docs.xen-orchestra.com/users#google-workspace---saml-supportgooglecom

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          dsmteam @probain
          last edited by

          @probain Thanks, tried to have new line at the end with no luck. I already had found your guide I think and tried also to add the -----BEGIN CERTIFICATE----- & -----END CERTIFICATE----- and also newline withor without the certificate line without luck.
          When inspecting the saml request and checking on other google research, I can see that the request doesn't have a signature like this <ds:SignatureMethod Algorithm="XMLSecurity::Document::RSA_SHA1" />
          I'm not sure if this is normal or not

          P 1 Reply Last reply Reply Quote 0
          • P Offline
            probain @dsmteam
            last edited by

            @dsmteam
            Unfortunately this is the limit of what I know regarding SAML. The Google Workspace variant, was cobbled together after many hours of experimenting.

            I wish you the best of luck. And if you do find a solution, please consider adding to the docs as well. As this is an area where we desperately need more comprehensive docs (as you're experiencing).

            1 Reply Last reply Reply Quote 0
            • D Offline
              dsmteam
              last edited by

              I'm starting to think that something is wrong.
              Everywhere I check, I can see that the SAML request from the SP should have a signature of some sort.
              It doesn't seem that there is anything of the sort in our case.
              We are using the opensource for preproduction and are waiting for a pro license (paperwork on it's way) so maybe there is something wrong in the implementation ?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post