zulip: SAML Authentication failed: The response was received at wrong URL
Hi,
I am new to zulip and trying to get SAML working properly. I am stumbling from one error to another and eventually I am stuck. When clicking on the SAML login button in zulip, I get redirected to my IDP login form. After successful login to my idp, I get redirected to my zulip instance. There the zulip login form appears again, with the following log entries:
[pid: 525|app: 0|req: 6/11] 172.16.238.254 () {66 vars in 1451 bytes} [Tue Jun 1 09:09:02 2021] GET /login/saml/?subdomain=&is_signup=0&multiuse_object_key=&next=%2F&idp=sso => generated 0 bytes in 6 msecs (HTTP/1.1 302) 8 headers in 1262 bytes (1 switches on core 0)
The response was received at https://zulip.example.com:80/complete/saml/ instead of https://zulip.example.com/complete/saml/
2021-06-01 09:09:02.589 INFO [zulip.auth.saml] AuthFailed: Authentication failed: SAML login failed: ['invalid_response'] (The response was received at https://zulip.example.com:80/complete/saml/ instead of https://zulip.example.com/complete/saml/)
2021-06-01 09:09:02.592 INFO [zr] 172.16.238.254 POST 302 9ms (db: 1ms/1q) /complete/saml/ (unauth@root via Mozilla)
[pid: 525|app: 0|req: 7/12] 172.16.238.254 () {70 vars in 1434 bytes} [Tue Jun 1 09:09:02 2021] POST /complete/saml/ => generated 0 bytes in 11 msecs (HTTP/1.1 302) 8 headers in 425 bytes (1 switches on core 0)
2021-06-01 09:09:02.639 INFO [zr] 172.16.238.254 GET 200 13ms (db: 1ms/1q) /login/ (unauth@root via Mozilla)
[pid: 525|app: 0|req: 8/13] 172.16.238.254 () {64 vars in 1278 bytes} [Tue Jun 1 09:09:02 2021] GET /login/ => generated 11810 bytes in 15 msecs (HTTP/1.1 200) 7 headers in 440 bytes (2 switches on core 0)
Obviously, the error is the port information in the URL, the SAML response was received, but URL in my IdP is correct. I guess, the problem lies within my reverse proxy.
I have the following setup:
- Zulip inside the official docker container, with SAML configured
- Keycloak as Identity provider
- Traefik v2 reverse proxy
Did anyone have a similar setup and came around that error?
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 15 (7 by maintainers)
For the record, the problem of @awunder was solved by double checking Keycloak attribute mappers.