You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As only Okta is described and seemingly only one person tried Authentik, I'm quite lost in how to configure this.
I eventually found that this is an IDP Initiated login, which Keycloak describes here: https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated-login - here I picked the first option, "Assertion Consumer Service POST Binding URL", to put the url https://<domain>/app/login.php. I have configured many SAML-SSO configs, but never this type! I did notice that you use MiniOrange, but unfortunately their documentation did not help much.
When I go to the Keycloak page, it nicely goes to IceHRM's login-page. But login fails.
In the logs:
icehrm-1 | NOTICE: PHP message: SAML: certificate count = 1
icehrm-1 | NOTICE: PHP message: SAML: Responses is not signed
icehrm-1 | [2025-02-10 05:34:54] IceHrm.ERROR: (client=icehrm) SAML: response signature validity : [] []
icehrm-1 | [2025-02-10 05:34:54] IceHrm.ERROR: (client=icehrm) Invalid response or assertion signature [] []
icehrm-1 | [2025-02-10 05:34:54] IceHrm.INFO: (client=icehrm) SSO SAML User Email: [] []
icehrm-1 | 2025/02/10 00:04:54 [error] 9#9: *877 FastCGI sent in stderr: "PHP message: SAML: certificate count = 1PHP message: SAML: Responses is not signed" while reading response header from upstream, client: <redacted>
According to MiniOrgange both "Sign documents" and "Sign assertions" had to be on. I took the main X.509 from "SAML 2.0 Identity Provider Metadata", as I normally do for SAML.
I hope somebody can help me here, how to fix this.
The text was updated successfully, but these errors were encountered:
As only Okta is described and seemingly only one person tried Authentik, I'm quite lost in how to configure this.
I eventually found that this is an IDP Initiated login, which Keycloak describes here: https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated-login - here I picked the first option, "Assertion Consumer Service POST Binding URL", to put the url
https://<domain>/app/login.php. I have configured many SAML-SSO configs, but never this type! I did notice that you use MiniOrange, but unfortunately their documentation did not help much.When I go to the Keycloak page, it nicely goes to IceHRM's login-page. But login fails.
In the logs:
According to MiniOrgange both "Sign documents" and "Sign assertions" had to be on. I took the main X.509 from "SAML 2.0 Identity Provider Metadata", as I normally do for SAML.
I hope somebody can help me here, how to fix this.
The text was updated successfully, but these errors were encountered: