Logging in directly from Okta SAML SSO app throws Invalid Request

vickycsw · April 27, 2023, 1:12pm

I am trying to set up SSO with Okta as Idp and Keycloak SP via SAML. I am getting below error when clicking on the Okta app

18:32:30,975 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=CSW-Dev, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_request

Keycloak Version: 18.0.0

Attaching the SAML response

<saml2p:Response
  Destination="http://localhost:8080/auth/realms/CSW-Dev/broker/oktasaml/endpoint"
  ID="id4960811792503522625392951"
  IssueInstant="2023-04-27T13:02:28.632Z"
  Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <saml2:Issuer
    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk56g1nzvQapjXZS697</saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod
        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod
        Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <ds:Reference
        URI="#id4960811792503522625392951">
        <ds:Transforms>
          <ds:Transform
            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform
            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces
              PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod
          Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
        <ds:DigestValue>V/dcZ0E7ClChzON3GFqvHiJpia2uRzCjrUdvfEryxPU=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>TgNK38Hxc7IAao2isDKD6MSz6sSHdgZhkN36mPebZ2CqkrO5SJaAcpGZUQO0aUKmXS2yxO+hzcwjGF54l+Y5PIK0nDahNU2STtu7bPQXQWMqH38Rbw7dqCVrlg8Fd8oDS1F3B3ORQ6JO1sNlm6xyS5oIs/nKp1mcEhn2aAmKZrn5atygOMsKXTZkFf97CpW9odXWqR5bvwhssBv6gECJz4bDT6UCeXrROCkMmzh5Uy+Lktb3AOHCYVQH07BaNZv8EAL+Xnu2Phzixr2qaI7IeeMCVFaI+OdaC1q8Rffp1/zUjAk2TY+FY/ScyhOGRaHzPwyKK5JUTzBqFiv0biFzpQ==</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIIDqjCCApKgAwIBAgIGAYfCwFIcMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFjAUBgNVBAMMDXRyaWFsLTMxMTI4MzUxHDAaBgkqhkiG9w0B
CQEWDWluZm9Ab2t0YS5jb20wHhcNMjMwNDI3MTI0NTM2WhcNMzMwNDI3MTI0NjM2WjCBlTELMAkG
A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTAL
BgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRYwFAYDVQQDDA10cmlhbC0zMTEyODM1
MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAshCe+xTpxtjKEwIid9cucNaoCyMDYvBoEh9k+PjwpO7KH2Ar9YAPFUMwgv6lOorbBcU9
ZVNUDsba8rGFbYiJDQtdKEbPzRL1pbMzJJyDW8PNpFmTshmItvq151SlIaxIltIfBP/MPXvJdnEK
V/yI7lqvUicEMl3ErBpQIYOuIhAXLoeBMiUGQtIs33rXxMm0LqLyujnR4f74mFuDaql71nVkrE3A
7Cu9S6b7cCBoSBYY5QZcJ/hAtIbj/QCa7R4n55Cl2Eu/G5ZvmB4qOeP9fhX3oM9knYTcT0q9dX8o
o/nOJVfNKFjOuk5b1bnWcby6OL32IEGqbWCX2DXIWsdwLQIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
AQAJ/AC6e9DLArV1QmkeKJOBmtLG9n6ssmEylM8doDq94AumqFFxQv+6w+SnNyeUsxQyHKu2VlrY
oZMQ1Xu/1frR19d4mq24C5KoBRPV7Kb0QC+ydry51+0cLOFWMxXrCXNubw8JfFKKDsZAlLXS8a7k
cYWutwGLhb3xWjlb+mhhbYyeXMVzwOeiNFaafl7iN28jWqmCYnoxl3jOgHD4ipbmEcEhM+DUPD0s
VykfIMzb/mbl37oyAumovS5VoRWC4V5iT5L/UTL4gJS7p0VdkaXTkx/cfpOPtVa4NiVjZcUb5rNg
qmxcJFeulJj39sCtRmwv3l5TqMPA9VdQiY1Purmr</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2p:StatusCode
      Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </saml2p:Status>
  <saml2:Assertion
    ID="id4960811792664654511713917"
    IssueInstant="2023-04-27T13:02:28.632Z"
    Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer
      Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk56g1nzvQapjXZS697</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod
          Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod
          Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
        <ds:Reference
          URI="#id4960811792664654511713917">
          <ds:Transforms>
            <ds:Transform
              Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            <ds:Transform
              Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
              <ec:InclusiveNamespaces
                PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transform>
          </ds:Transforms>
          <ds:DigestMethod
            Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
          <ds:DigestValue>/55iOKIJfe8DC39rtLn64GOFBOsjfEz8DIQDDTpgQZ0=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>CtXuWfSYzJ1QYYJ4KemyGSaV8FXydwJoVCH5wq5UZjrwIogRWGSNteLtCk8aXoACDErN5cfZkfVk1tM8ZwvpZ57jpD60D3F2Y4jtwQEJJHWGl+JVggdv5d1toFiHLTodaFAT0JyyGwz2hqDo/wGhDtoJ+GEo0qYY/Sfau3ZDV+ytsl6TX7yGKL3sQ3+MVXXy1vWH1y7lRVk8LXH36DJ0VigW1Z9JymmQhdsg+6QGMQy/mi6MxikbhSKFLjbcuTKEQbRpJkioedJi2jidIIGmdQqrBPgV+DG6NU6aS2oTHOouGZdDYR1OgGAeifBm+jBbOiCIWecxmXYl+z0wnk+bfg==</ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>MIIDqjCCApKgAwIBAgIGAYfCwFIcMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFjAUBgNVBAMMDXRyaWFsLTMxMTI4MzUxHDAaBgkqhkiG9w0B
CQEWDWluZm9Ab2t0YS5jb20wHhcNMjMwNDI3MTI0NTM2WhcNMzMwNDI3MTI0NjM2WjCBlTELMAkG
A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTAL
BgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRYwFAYDVQQDDA10cmlhbC0zMTEyODM1
MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAshCe+xTpxtjKEwIid9cucNaoCyMDYvBoEh9k+PjwpO7KH2Ar9YAPFUMwgv6lOorbBcU9
ZVNUDsba8rGFbYiJDQtdKEbPzRL1pbMzJJyDW8PNpFmTshmItvq151SlIaxIltIfBP/MPXvJdnEK
V/yI7lqvUicEMl3ErBpQIYOuIhAXLoeBMiUGQtIs33rXxMm0LqLyujnR4f74mFuDaql71nVkrE3A
7Cu9S6b7cCBoSBYY5QZcJ/hAtIbj/QCa7R4n55Cl2Eu/G5ZvmB4qOeP9fhX3oM9knYTcT0q9dX8o
o/nOJVfNKFjOuk5b1bnWcby6OL32IEGqbWCX2DXIWsdwLQIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
AQAJ/AC6e9DLArV1QmkeKJOBmtLG9n6ssmEylM8doDq94AumqFFxQv+6w+SnNyeUsxQyHKu2VlrY
oZMQ1Xu/1frR19d4mq24C5KoBRPV7Kb0QC+ydry51+0cLOFWMxXrCXNubw8JfFKKDsZAlLXS8a7k
cYWutwGLhb3xWjlb+mhhbYyeXMVzwOeiNFaafl7iN28jWqmCYnoxl3jOgHD4ipbmEcEhM+DUPD0s
VykfIMzb/mbl37oyAumovS5VoRWC4V5iT5L/UTL4gJS7p0VdkaXTkx/cfpOPtVa4NiVjZcUb5rNg
qmxcJFeulJj39sCtRmwv3l5TqMPA9VdQiY1Purmr</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml2:NameID
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">yyyyyyy</saml2:NameID>
      <saml2:SubjectConfirmation
        Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData
          NotOnOrAfter="2023-04-27T13:07:28.633Z"
          Recipient="http://localhost:8080/auth/realms/CSW-Dev/broker/oktasaml/endpoint" />
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions
      NotBefore="2023-04-27T12:57:28.633Z"
      NotOnOrAfter="2023-04-27T13:07:28.633Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml2:AudienceRestriction>
        <saml2:Audience>http://localhost:8080/auth/realms/CSW-Dev</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement
      AuthnInstant="2023-04-27T12:49:59.637Z"
      SessionIndex="id1682600548631.1494696607" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml2:Attribute
        Name="lastName"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="xs:string">Rajendran</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute
        Name="firstName"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="xs:string">******/saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
  </saml2:Assertion>
</saml2p:Response> ```

Topic		Replies	Views
Keycloak behind load balancer raises invalid_saml_response Getting advice	0	422	April 13, 2022
Erro integration SAML OKTA + KEYCLOAK saml	0	198	December 15, 2023
SSO Keycloak as SP GSuite as IDP, invalid request error Getting advice identity-brokering , saml	0	431	January 19, 2021
Keycloak as SP for SAML IDP Configuring the server saml	13	18904	October 9, 2025
Custom Application -> Keycloak Identity Brokering -> Okta Authentication	1	670	October 21, 2021

Logging in directly from Okta SAML SSO app throws Invalid Request

Related topics