zulip: SAML Authentication failed: The response was received at wrong URL

Hi,

I am new to zulip and trying to get SAML working properly. I am stumbling from one error to another and eventually I am stuck. When clicking on the SAML login button in zulip, I get redirected to my IDP login form. After successful login to my idp, I get redirected to my zulip instance. There the zulip login form appears again, with the following log entries:

[pid: 525|app: 0|req: 6/11] 172.16.238.254 () {66 vars in 1451 bytes} [Tue Jun  1 09:09:02 2021] GET /login/saml/?subdomain=&is_signup=0&multiuse_object_key=&next=%2F&idp=sso => generated 0 bytes in 6 msecs (HTTP/1.1 302) 8 headers in 1262 bytes (1 switches on core 0)
The response was received at https://zulip.example.com:80/complete/saml/ instead of https://zulip.example.com/complete/saml/
2021-06-01 09:09:02.589 INFO [zulip.auth.saml] AuthFailed: Authentication failed: SAML login failed: ['invalid_response'] (The response was received at https://zulip.example.com:80/complete/saml/ instead of https://zulip.example.com/complete/saml/)
2021-06-01 09:09:02.592 INFO [zr] 172.16.238.254  POST    302   9ms (db: 1ms/1q) /complete/saml/ (unauth@root via Mozilla)
[pid: 525|app: 0|req: 7/12] 172.16.238.254 () {70 vars in 1434 bytes} [Tue Jun  1 09:09:02 2021] POST /complete/saml/ => generated 0 bytes in 11 msecs (HTTP/1.1 302) 8 headers in 425 bytes (1 switches on core 0)
2021-06-01 09:09:02.639 INFO [zr] 172.16.238.254  GET     200  13ms (db: 1ms/1q) /login/ (unauth@root via Mozilla)
[pid: 525|app: 0|req: 8/13] 172.16.238.254 () {64 vars in 1278 bytes} [Tue Jun  1 09:09:02 2021] GET /login/ => generated 11810 bytes in 15 msecs (HTTP/1.1 200) 7 headers in 440 bytes (2 switches on core 0)

Obviously, the error is the port information in the URL, the SAML response was received, but URL in my IdP is correct. I guess, the problem lies within my reverse proxy.

I have the following setup:

  • Zulip inside the official docker container, with SAML configured
  • Keycloak as Identity provider
  • Traefik v2 reverse proxy

Did anyone have a similar setup and came around that error?

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 15 (7 by maintainers)

Most upvoted comments

For the record, the problem of @awunder was solved by double checking Keycloak attribute mappers.

+1
Lumrenion on Jul 4, 2021
Read more comments on GitHub
← zulip: portico: Add zxcvbn error messages and time-to-crack on registration page.
zulip: Search doesn't match words in URL, only whole hostname or path →