Sign in to your account with SAML integration resulting in "Unexpected error when authenticating with identity provider" and no error found on logs.

[valeriob]

Area

saml

Describe the bug

Hi,
i'm trying to integrate with a SAML endpoint exposed by Microsoft Active Directory.

1. I press "Or sign in with" the configured SAML provider in the login form
2. I get redirrected to the AD login page, enter the credentials, and get redirrected back to keycloack page that you see in the image.
   
   Problem is there is no trace of such error in the logs so that i can diagnose what the issue is.

I'm running keycloak 20.1 with logging enabled :
.\bin\kc.bat start-dev --log-level=DEBUG --log=file

Thanks
Valerio

Version

20.1

Expected behavior

Finding the details of the error in the log so that i can fix the problem.

Actual behavior

The log does not contain any reference to any error.

How to Reproduce?

see above.

Anything else?

No response

[lexcao]

Hi, there are not enough logs that I could help with.

Here is an approach to help you record some logs:

1. redirected to the AD login page
2. enter the credentials
3. get redirected back
4. open the browser console of the Network tab
5. click the callback request from MS AD
6. then you will see a long base64 SAML response

[valeriob]

Thanks,
i guess i'll have to investigate "InvalidNameIDPolicy" then :D

   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
      </samlp:StatusCode>
   </samlp:Status>