I'm currently trying to set up keycloak to provide single sign on to a nextcloud and gitlab instance. All three services are running inside a docker compose network with an nginx server as proxy to each of them. I can browse to keycloak, nextcloud and gitlab and log in with the respective admin accounts fine. Only signing in via keycloak to nextcloud or gitlab is not possible.
When trying to log in to nextcloud via keycloak, the following saml request is sent:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_472a6a24a82cd8195e67727722780d428f21494f"
Version="2.0"
IssueInstant="2021-02-08T17:49:07Z"
Destination="https://mydomain.de/auth/realms/master/protocol/saml"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://www.mydomain.de/nextcloud/apps/user_saml/saml/acs">
<saml:Issuer>https://www.mydomain.de/nextcloud/apps/user_saml/saml/metadata</saml:Issuer>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true" />
</samlp:AuthnRequest>
The error logged by keycloak is
(default task-3) org.keycloak.events.jpa.EventEntity{clientId=null, realmId=master, ipAddress=172.19.0.1, id=c640029f-d9d5-4141-a473-b3ef981b1347, sessionId=null, time=1612806547526, error=invalid_authn_request, type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}}
What strikes me as odd is the value of ipAddress shown in the error 172.19.0.1, which is the IP of the docker compose network.
When trying to log in to gitlab via keycloak, the following saml request is sent:
<samlp:AuthnRequest AssertionConsumerServiceURL='https://mydomain.de/gitlab/users/auth/saml/callback'
Destination='https://mydomain.de/auth/realms/master/protocol/saml'
ID='_51172953-2b87-4c35-bde1-098aff31e7a9' IssueInstant='2021-02-08T16:48:03Z' Version='2.0'
xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'
xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'>
<saml:Issuer>https://mydomain.de/gitlab</saml:Issuer>
<samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'/>
</samlp:AuthnRequest>
At least, keycloak gives the same error as when trying to log in to nextcloud.
The docker container for keycloak is setup as
FROM jboss/keycloak:latest
ENV PROXY_ADDRESS_FORWARDING=true
ENV KEYCLOAK_USER=*****
ENV KEYCLOAK_PASSWORD=*****
ENV KEYCLOAK_FRONTEND_URL=https://www.mydomain.de/auth
ENV DB_VENDOR=postgres
ENV DB_DATABASE=******
ENV DB_USER=*****
ENV DB_PASSWORD=*****
ENV DB_ADDR=*****
ENV KEYCLOAK_LOGLEVEL=TRACE
ENV ROOT_LOGLEVEL=TRACE
The respective service in the docker compose file is defined as
keycloak:
build:
context: ../container/keycloak
depends_on:
- postgres
volumes:
- "keycloak:/tmp"
Additionally, the reverse proxy configuration in nginx for the keycloak endpoint is
location /auth {
proxy_pass http://keycloak:8080;
proxy_redirect default;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
}
So, evidently, there is something I'm missing. The only hint I found so far is that invalid_destination indicates that the value of destination in the saml request is wrong. However at least the URL is correct. My guess would be that keycloak expects its IP from the docker compose network instead of mydomain.de. However, I thought that
ENV PROXY_ADDRESS_FORWARDING=true
Would solve this issue. I'm happy for any help I can get. If more information are needed, I will provide them ASAP.
