SAML mit Keycloak Probleme

toehring 2023-04-28 11:10:16 UTC #1

Ich versuche im Moment SSO mit unserem Keycloak server als IDP einzurichten.
Allerdings habe ich mich bisher nur mit OIDC auseinander gesetzt, was EGroupware ja leider nicht unterstuetzt.
Jetzt bin ich an einem Punkt angekommen an dem ich nicht mehr weiter weiß.

Bei meiner jetzigen SAML configuration werde ich bei jedem login versuch auf die login Seite zurueck gewiesen. Also nachdem ich auf IDP zurueck gewiesen wurde.

zudem bekomme ich einen log den ich leider aber nicht verstehe:

2023/04/28 11:01:23 [error] 25#25: *3285 FastCGI sent in stderr: "PHP message: %date{%b %d %H:%M:%S} simplesamlphp WARNING [aa77ee665f] There is already a PHP session with the same name as SimpleSAMLphp's session, or the 'session.phpsession.cookiename' configuration option is not set. Make sure to set SimpleSAMLphp's cookie name with a value not used by any other applications.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [aa77ee665f] Session: 'default-sp' not valid because we are not authenticated.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [aa77ee665f] Saved state: '_ca5082d97e391239c3681c2b12b2020bd0e5570a36'PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [aa77ee665f] Sending SAML 2 AuthnRequest to 'https://id.example.com/realms/test'PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [aa77ee665f] Sending message:PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [aa77ee665f] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_ca5082d97e391239c3681c2b12b2020bd0e5570a36" Version="2.0" IssueInstant="2023-04-28T11:01:23Z" Destination="https://id.example.com/realms/test/protocol/saml" AssertionConsumerServiceURL="https://team.example.com/egroupware/saml/module.php/saml/sp/saml2-acs.php/default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [aa77ee665f]   <saml:Issuer>https://team.example.com/egroupware/saml/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [aa77ee665f]   <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [aa77ee665f] </samlp:AuthnRequest>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [aa77ee665f] Redirect to 1234 byte URL: https://id.example.com/realms/test/protocol/saml?SAMLRequest=nVJNbxoxEP0rK98Xe70lAQuQaFAUpLRFgeTQS2XWE7Dkj61n3KT%2Fvstuo5IeOORk
2023/04/28 11:01:24 [error] 25#25: *3285 FastCGI sent in stderr: "PHP message: PHP Warning:  Constant EGW_SERVER_ROOT already defined in /var/lib/egroupware/header.inc.php on line 16PHP message: PHP Warning:  Constant EGW_INCLUDE_ROOT already defined in /var/lib/egroupware/header.inc.php on line 19PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Received message:PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://team.example.com/egroupware/saml/module.php/saml/sp/saml2-acs.php/default-sp" ID="ID_72663c4c-1bf1-4fc3-a21e-bfaf0ed5cde4" InResponseTo="_ca5082d97e391239c3681c2b12b2020bd0e5570a36" IssueInstant="2023-04-28T11:01:23.388Z" Version="2.0">PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]   <saml:Issuer>https://id.example.com/realms/test</saml:Issuer>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]   <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]     <dsig:SignedInfo>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]       <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]       <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]       <dsig:Reference URI="#ID_72663c4c-1bf1-4fc3-a21e-bfaf0ed5cde4">PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]         <dsig:Transforms>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]           <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]           <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>PHP message: %d
2023/04/28 11:01:24 [error] 25#25: *3285 FastCGI sent in stderr: "ssage: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]       </saml:AuthnContext>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]     </saml:AuthnStatement>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]     <saml:AttributeStatement>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]       <saml:Attribute FriendlyName="username" Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">toehring</saml:AttributeValue>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]       </saml:Attribute>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]     </saml:AttributeStatement>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84]   </saml:Assertion>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] </samlp:Response>PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Loading state: '_ca5082d97e391239c3681c2b12b2020bd0e5570a36'PHP message: %date{%b %d %H:%M:%S} simplesamlphp WARNING [948d68cf84] Could not load state specified by InResponseTo: NOSTATE Processing response as unsolicited.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Received SAML2 Response from 'https://id.example.com/realms/test'.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Has 1 candidate keys for validation.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Validation with key #0 succeeded.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Has 1 candidate keys for validation.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Validation with key #0 failed without exception.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948
2023/04/28 11:01:24 [error] 25#25: *3285 FastCGI sent in stderr: "PHP message: %date{%b %d %H:%M:%S} simplesamlphp WARNING [948d68cf84] There is already a PHP session with the same name as SimpleSAMLphp's session, or the 'session.phpsession.cookiename' configuration option is not set. Make sure to set SimpleSAMLphp's cookie name with a value not used by any other applications.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Session: Valid session found with 'default-sp'.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Session: Valid session found with 'default-sp'" while reading response header from upstream, client: 172.18.0.13, server: _, request: "GET /egroupware/login.php?passwd_type=text&account_type=u&auth%3Dsaml=Keycloak&login=&passwd=&2fa_code=&logindomain=default&auth=saml HTTP/1.1", upstream: "fastcgi://192.168.240.2:9000", host: "team.example.com"
2023/04/28 11:01:25 [error] 23#23: *3289 FastCGI sent in stderr: "PHP message: %date{%b %d %H:%M:%S} simplesamlphp WARNING [948d68cf84] There is already a PHP session with the same name as SimpleSAMLphp's session, or the 'session.phpsession.cookiename' configuration option is not set. Make sure to set SimpleSAMLphp's cookie name with a value not used by any other applications.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Session: Valid session found with 'default-sp'.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Session: Valid session found with 'default-sp'" while reading response header from upstream, client: 172.18.0.13, server: _, request: "GET /egroupware/login.php?cd=10&phpgw_forward=%252Fapi%252Fimages.php%253Ftemplate%253Dpixelegg%26etag%253D62092d8509f8da0951b5a31b34f96763 HTTP/1.1", upstream: "fastcgi://192.168.240.2:9000", host: "team.example.com", referrer: "https://team.example.com/egroupware/login.php?passwd_type=text&account_type=u&auth%3Dsaml=Keycloak&login=&passwd=&2fa_code=&logindomain=default&auth=saml"
2023/04/28 11:01:25 [error] 23#23: *3290 FastCGI sent in stderr: "PHP message: %date{%b %d %H:%M:%S} simplesamlphp WARNING [948d68cf84] There is already a PHP session with the same name as SimpleSAMLphp's session, or the 'session.phpsession.cookiename' configuration option is not set. Make sure to set SimpleSAMLphp's cookie name with a value not used by any other applications.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Session: Valid session found with 'default-sp'.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Session: Valid session found with 'default-sp'" while reading response header from upstream, client: 172.18.0.13, server: _, request: "GET /egroupware/login.php?cd=10&phpgw_forward=%252Fapi%252Fconfig.php%253Fetag%253Dc861fb5c45c87372ac0f0dee9fcfeeeb HTTP/1.1", upstream: "fastcgi://192.168.240.2:9000", host: "team.example.com", referrer: "https://team.example.com/egroupware/login.php?passwd_type=text&account_type=u&auth%3Dsaml=Keycloak&login=&passwd=&2fa_code=&logindomain=default&auth=saml"
2023/04/28 11:01:25 [error] 25#25: *3285 FastCGI sent in stderr: "PHP message: %date{%b %d %H:%M:%S} simplesamlphp WARNING [948d68cf84] There is already a PHP session with the same name as SimpleSAMLphp's session, or the 'session.phpsession.cookiename' configuration option is not set. Make sure to set SimpleSAMLphp's cookie name with a value not used by any other applications.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Session: Valid session found with 'default-sp'.PHP message: %date{%b %d %H:%M:%S} simplesamlphp DEBUG [948d68cf84] Session: Valid session found with 'default-sp'" while reading response header from upstream, client: 172.18.0.13, server: _, request: "GET /egroupware/login.php?cd=10&phpgw_forward=%252Fapi%252Fuser.php%253Fuser%253D%26lang%253Den%26etag%253D1ff4e25dc09c9fb5251a5634d6d697bc HTTP/1.1", upstream: "fastcgi://192.168.240.2:9000", host: "team.example.com", referrer: "https://team.example.com/egroupware/login.php?passwd_type=text&account_type=u&auth%3Dsaml=Keycloak&login=&passwd=&2fa_code=&logindomain=default&auth=saml"

id.exmaple.com ist eine keycloak instance auf der neusten version.
team.example.com ist die egroupware instance

Hier auch nochmal meine SAML config:

Es kann gut sein das ich hier etwas falsch konfiguriert habe, aber das ganze ist nicht gerade gut dokumentiert sodass ich keinen Anhaltspunkt habe.

StefanU 2023-05-02 13:37:31 UTC #2

Hallo Tobias.

Solche Themen sind sehr individuell, bei uns in der Regel Support-/Projekt-Geschäft und werden von uns hier im Community-Forum meist nicht kostenlos supportet.
Der bessere und kürzere Weg ist unser Support:

Für SSO per SAML könntest du auch mal hier schauen:

github.com

EGroupware/egroupware/blob/master/doc/UCS-SAML-SSO.md

## Configure EGroupware for SSO via SAML with Univention

### SAML IdP need to be enabled, see [UCS Manual about login](https://docs.software-univention.de/manual/5.0/en/central-management-umc/login.html#central-management-umc-login)
    
* ```ucs-sso.<domain>``` need to resolve to one or more primary or secondary domain controllers
* if you use LetsEncrypt, you should add the above domain to your certificate
* UCS config registry variable ```portal/auth-mode``` has to be set to ```saml```
* portal server needs to be restarted: ```systemctl restart univention-portal-server.service```

### EGroupware needs to be configured for SAML via Setup (```https://egw.example.org/egroupware/setup/```)
  * Login into setup with user ```admin``` and the password from ```/var/lib/egroupware/egroupware-docker-install.log```
  * Go to [Edit current configuration]
  
<html>
<table border="0" align="center" cellspacing="0" width="90%">
<tbody>
   <tr class="th">
    <td colspan="2"><b>If using SAML 2.0 / Shibboleth / SimpleSAMLphp:</b></td>
   </tr>

This file has been truncated. show original

Stefan

toehring 2023-05-24 10:34:22 UTC #3

DIe Loesung:

Es wurde nicht automatisch ein Account angelegt.