Hello Ivan, Thanks for your response. To be honest, I am a novice in SAML at the moment but have managed to hook Keycloak to AWS using some tutorials :).
I have tried turning off signing and encryption in Keycloak and configured below parameters after google-ing. <https://lh3.googleusercontent.com/-6zvBoj1nEqQ/Woqn4KUZyAI/AAAAAAAACKc/uxzHe3V4FKA8IMIlJuKmyEX_A-330Ge2wCLcBGAs/s1600/2018-02-19_21-32-07.png> This is my IDP metadata configured in Jenkins <?xml version="1.0" encoding="UTF-8"?> <EntityDescriptor entityID="http://13.211.108.58/auth/realms/amp"; xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://13.211.108.58/auth/realms/amp/protocol/saml"; /> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified </NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress </NameIDFormat> <SingleSignOnService Binding= "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://13.211.108.58/auth/realms/amp/protocol/saml"; /> <KeyDescriptor use="signing"> <dsig:KeyInfo> <dsig:KeyName>-3exGGnBkt9XwDMBUwkkkXg2JYGXg-_YAcr5gwYTSN0 </dsig:KeyName> <dsig:X509Data> <dsig:X509Certificate> MIIClTCCAX0CBgFhnj1EXDANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDANhbXAwHhcNMTgwMjE2MTA0OTMwWhcNMjgwMjE2MTA1MTEwWjAOMQwwCgYDVQQDDANhbXAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXWPRbbOOjiDlBR3retdd1hIrdbPbsQw88AoYj3+4kIJGmAl+g7z/DIEdjTMsn5Jbx6NF2UUS4b2c/rIkCqEMAMz4CKfOFKppbEGTgAJmyAM0uNvo56K01lhsiGVgj9JRqrX5ANoH5PQWkHeF/miyCm1n6EFdyefheNP2lGksofpphrgW9ChTXPHyLhdv1KCJCTI2c7b+HwAhslI0Zw/XT9ZlKQ3/dkc4mYVRsTKjVKPWXSZwvp7eSNDPn1cbEtuUCOikaxcKVKZBghW4ZwspY7DJZIulhnS4rZB8JO2+GWWAJAqIUZffoh99yHANM/wVHwtEdl6Eckw0IiVTW3RSFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHEkunR6dy+/b3cPl+GJNKpmkMbjMjNQ3P/7YMHQYldl6pr0njYGIl7wh6uA5JF176bz5oP+XddNiySue7lPm+AbsEvefOcfpWt0eBAOHWmZrZLWvp5toE7ipNYd+coicRsddDTAm9ZIdP9X2jNDHrouCkfNHgNIIeLYWdlYUb9VvYW0JbdiwqJs5iCLBIo9M3buffltGyI1ghK0S0/xQf6SgxDLLH4kjU0POj3XMMNDGB4YlPcWeA9DzEQzvWI2gK8Ul/MV3TbYdTXxIRJqef3Qv5ZkCKFBMPORdfLKZyOvP7vex3MSZZzfX342ZjZmzvrlQtOekvldP2OupFeLV8M= </dsig:X509Certificate> </dsig:X509Data> </dsig:KeyInfo> </KeyDescriptor> </IDPSSODescriptor> </EntityDescriptor> I have configured this as below <https://lh3.googleusercontent.com/-VwFtx-edyzw/WoqoXYOKEmI/AAAAAAAACKk/AkaOIM-S2w0zEQM8GNQzsz064DJayBEIwCLcBGAs/s1600/2018-02-19_21-34-58.png> Request you to please have a quick look and let me know where I am going wrong. The above configuration in Jenkins has this stack trace org.pac4j.saml.exceptions.SAMLException: Identity provider has no single sign on service available for the selected profileorg.opensaml.saml.saml2. metadata.impl.IDPSSODescriptorImpl@3ce818f6 at org.pac4j.saml.context.SAML2MessageContext.getIDPSingleSignOnService( SAML2MessageContext.java:93) at org.pac4j.saml.sso.impl.SAML2AuthnRequestBuilder.build( SAML2AuthnRequestBuilder.java:70) at org.pac4j.saml.sso.impl.SAML2AuthnRequestBuilder.build( SAML2AuthnRequestBuilder.java:34) Thanks in advance. Regards On Monday, 19 February 2018 05:50:36 UTC+11, Ivan Fernandez Calvo wrote: > > >How can I add the IDP public key to my keystore and how to configure > jenkins to decode saml message with the key in the keystore ? > > The IdP key should be in the IdP Metadata as described in > https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf > If You are generating the IdP metadata in a manual way, you can use this > tool https://www.samltool.com/idp_metadata.php > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/64276bab-fbda-4731-89ea-5699e6d93391%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
