问题
I'm trying to integrate Terraform Enterprise with Keycloak using SAML for SSO. I'm following IdP initiated authentication workflow. After successful authentication, the re-direct from Keycloak to TFE is running into following error.
2020-03-30 22:51:06 [DEBUG] [b71be8e2-8e60-4077-9610-42519931802e] saml: Auth errors: https://{my-tfe-host}/users/saml/metadata is not a valid audience for this Response - Valid audiences: terraform
2020-03-30 22:51:06 [INFO] [b71be8e2-8e60-4077-9610-42519931802e] {"method":"POST","path":"/","format":"html","status":500,"error":"Exceptions::Saml::ConfigurationError: https://{my-tfe-host}/users/saml/metadata is not a valid audience for this Response - Valid audiences: terraform","duration":33.9,"view":0.0,"db":1.25,"uuid":"b71be8e2-8e60-4077-9610-42519931802e","remote_ip":"22.247.0.16, 22.85.2.229","request_id":"b71be8e2-8e60-4077-9610-42519931802e","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:74.0) Gecko/20100101 Firefox/74.0","user":null}
2020-03-30 22:51:06 [FATAL] [b71be8e2-8e60-4077-9610-42519931802e]
Exceptions::Saml::ConfigurationError (https://{my-tfe-host}/users/saml/metadata is not a valid audience for this Response - Valid audiences: terraform):
app/service-objects/saml/error_manager.rb:4:in `handle'
app/controllers/concerns/has_authentication.rb:113:in `current_user'
app/controllers/application_controller.rb:51:in `not_found'
app/middleware/attach_rate_limit_headers.rb:11:in `call'
app/middleware/catch_json_parse_errors.rb:10:in `call'
app/middleware/log_started_request.rb:17:in `call'
While looking up the above audience configuration error in TFE/keycloak documentation as well as online, I couldn't find any specific solution except updating the audience URL from TFE into keycloak, but nothing about how and where to update in Keycloak.
I have created a new realm 'terraform' and a client under this realm in Keycloak with following properties under 'Settings' section:
Client ID: terraform
Client Protocol: SAML
Name ID Format: email
IDP Initiated SSO URL Name: terraform
Assertion Consumer Service POST Binding URL: https://{my-tfe-host}/users/saml/auth
Assertion Consumer Service Redirect Binding URL: <blank>
Root URL: <blank>
Valid Redirect URIs: <blank>
Base URL: <blank>
Master SAML Processing URL: <blank>
IDP Initiated SSO Relay State: <blank>
Logout Service POST Binding URL: <blank>
Logout Service Redirect Binding URL: <blank>
I see following IdP configuration available in TFE, but not sure how and where to set it in Keycloak.
ACS Consumer (Recipient) URL: https://{my-tfe-host}/users/saml/auth
Metadata (Audience) URL: https://{my-tfe-host}/users/saml/metadata
NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Single Sign-On URL: https://{my-keycloak-host}/auth/realms/terraform/protocol/saml/clients/terraform
Single Log-Out URL: https://{my-keycloak-host}/auth/realms/terraform/protocol/saml
IDP Certificate: {my-x509-certificate}
Username Attribute Name: username
Site Admin Attribute Name: SiteAdmin
Rest all the properties as default
Please let me know if any additional information is needed to understand the issue better. Any help or pointers to fix this would be highly appreciated. Thank you.
来源:https://stackoverflow.com/questions/60943587/terraform-enterprise-integration-with-keycloak-using-saml