SAML / Keycloak (RH SSO) Authentification Problem

["Vogel, Sven" <Sv...@kupper-computer.com>]

Hi Team, Hi Rohit,

we try to integrate keycloak as our SAML IDP. We use CS 4.9.2.0.


1.       We defined users into LDAP and imported them in keycloak

2.       Created a IDP with keycloak and http://XXXX:8080/client/api?command=getSPMetadata Metadata Information
Pictures:
https://mybox.vboxvault.de/invitations?share=3612cd6e2cb0e554c59f&dl=0
https://mybox.vboxvault.de/invitations?share=076085f3415077012d7c&dl=0

3.       Map keycloak username to uid

Pictures:

https://mybox.vboxvault.de/invitations?share=ba578d8c2dd2db3ead6f&dl=0

4.       Import User from LDAP and Activate them to the SSO Instance

Picture:

https://mybox.vboxvault.de/invitations?share=785ee9b0df5ec976f397&dl=0

https://mybox.vboxvault.de/invitations?share=24428f64858526fd4401&dl=0

5.       We Choose the SAML Provider on the Cloudstack login page and we will redirected correctly to the keycloak login page. we put our credentials into and redirection back to cloudstack starts.
--After that we get the following error

---snip
<loginresponse cloud-stack-version="4.9.2.0">
<errorcode>531</errorcode>
<errortext>
Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.
</errortext>
</loginresponse>
---snip


6.       When we look at a browser trace with a saml plugin we see a success.

Picture:

https://mybox.vboxvault.de/invitations?share=fa038b7c2b2d4c6f1dcd&dl=0

7.       Our SAML Cloudstack Settings / they seems to be okay
Picture:
https://mybox.vboxvault.de/invitations?share=87fe39bb415461f40154&dl=0


our Web Developer tried it with a Simple SAML PHP Library and there all things work with keycloak. We checked there all values and the uid. You will see the uid are correctly set. saml2.user.attribute.
Picture
https://mybox.vboxvault.de/invitations?share=c727b8f5dfc678318938&dl=0




Best regards

Sven Vogel
Head of Cloud Solutions