Hi,
I have been using Keycloak 23.0.7 with Shibboleth IdP 5.0.0 as an IdP broker and it works perfectly fine both login and logout flows.
But when I upgraded to the latest Shibboleth 5.1.0 the logout flow broke with keycloak returning a 500 when it got the LogoutResponse with the statuscode urn:oasis:names:tc:SAML:2.0:status:Success. There is no visible difference between the 5.0.0 and 5.1.0 Shib messages but obviously there is something that differ.
I have turned on trace logging for org.keycloak.saml and it shows the SAML-messages that keycloak receives and the only difference I see between the two version is in 5.1.0 there is an additional line saying SAML POST Binding. That line is not present when I use the 5.0.0 version.
I get the following in Keycloak:
2024-03-17 13:13:50,803 DEBUG [org.keycloak.saml.SAMLRequestParser] (executor-thread-10) SAML POST Binding
2024-03-17 13:13:50,804 DEBUG [org.keycloak.saml.SAMLRequestParser] (executor-thread-10) <?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutResponse xmlns:saml2p=“urn:oasis:names:tc:SAML:2.0:protocol” Destination="… removed by me …2024-03-17 13:13:50,815 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-10) Uncaught server error: java.lang.ClassCastException: class org.keycloak.dom.saml.v2.protocol.StatusResponseType cannot be cast to class org.keycloak.dom.saml.v2.protocol.RequestAbstractType (org.keycloak.dom.saml.v2.protocol.StatusResponseType and org.keycloak.dom.saml.v2.protocol.RequestAbstractType are in unnamed module of loader io.quarkus.bootstrap.runner.RunnerClassLoader @3c679bde)
2024-03-17 13:13:50,815 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-10) Uncaught server error: java.lang.ClassCastException: class org.keycloak.dom.saml.v2.protocol.StatusResponseType cannot be cast to class org.keycloak.dom.saml.v2.protocol.RequestAbstractType (org.keycloak.dom.saml.v2.protocol.StatusResponseType and org.keycloak.dom.saml.v2.protocol.RequestAbstractType are in unnamed module of loader io.quarkus.bootstrap.runner.RunnerClassLoader @3c679bde)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlRequest(SAMLEndpoint.java:287)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:281)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:193)
at org.keycloak.broker.saml.SAMLEndpoint$quarkusrestinvoker$postBinding_e2ae3e4e98121b36952f2279cd4bb60100612099.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:145)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:840)
So there is obviously something that differs. So any suggestion on what java packages to increase the loglevel for to try to get more info on where the culprit is would be greatly appreciated. Or if you have any other ideas.
Thanks a lot,
Tomas