We are migrating from LDAP to keycloak authentication.
Tried following the various documentation and am constantly hit with an:
"We are sorry...
Invalid Request"
when posit attempts to communicate with the keycloak server.
From logfile:
time="2023-07-28T13:06:59.396Z" level=debug msg="SAML request received with path /login" region=saml
time="2023-07-28T13:06:59.410Z" level=warning msg="Warning: The configured IdP signing certificate is overridden by the specified metadata."
time="2023-07-28T13:06:59.411Z" level=debug msg="Found a SAML encryption key" region=saml
time="2023-07-28T13:06:59.411Z" level=debug msg="Creating authentication request" region=saml
time="2023-07-28T13:06:59.411Z" level=debug msg="Returning authentication request as redirect" region=saml
As shown by the comments in the SAML section of my rstusdio-connect.gcfg I've tried various iterations of the configuration as shown min the documentaion.
rstusdio-connect.gcfg
[SAML]
; SSOInitiated = IdP
IdPMetaDataURL = "https://key.kcc.tju.edu/realms/Posit/protocol/saml/descriptor"
; IdPAttributeProfile = default
; the unique identifier for a user over time
UniqueIdAttribute = NameID
; UniqueIdAttribute = GUID
NameIDFormat = persistent
; NameIDFormat = transient
UsernameAttribute = Username
FirstnameAttribute = FirstName
LastnameAttribute = LastName
EmailAttribute = Email
GroupsAttribute = Groups
IdPSigningCertificate = /etc/ssl/certs/TJH-CA.pem
SPEncryptionKey = /certs/skccapp02pa-private.pem
SPEncryptionCertificate = /certs/skccapp02pa.pem
; Enable this for a better user experience, unless
; managing a large number of groups is a concern:
GroupsAutoProvision = true
; When attempting to troubleshoot a problem relating to SAML,
; you can enable more verbose logging by enabling the following line
Logging = true
; IdPEntityID = "https://key.kcc.tju.edu/realms/Posit"
; IdPEntityID = "https://key.kcc.tju.edu/realms/Posit/protocol/saml/descriptor"
; IdPSingleSignOnServiceURL = https://key.kcc.tju.edu/login