SAML error after upgrade

Continuing the discussion from PostgreSQL 12 update:

After the upgrade, I receive a SAML error on the site, that was not appearing before:

Sorry, there was an error authorizing your account. Please try again.

The error log says:

(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, http://www.example.com is not a valid audience for this Response - Valid audiences: https://love.public.cat

I’m using Keycloak SAML client for the site. Was there some change in the plugin that requires additional settings in the plugin? – BTW this plugin uses environment variables that makes it difficult to use it in a multi-site environment.

I tried adding an audience field in Keycloak but this did not change anything. Any idea?

1 Like

Any ideas here @vinothkannans?

1 Like

Did you set “saml_base_url” in the global settings or environment variables? It has the incorrect value www.example.com instead of love.public.cat in /auth/saml/metadata. By default, you don’t need to specify a value for that setting.

2 Likes

No I did not specify this anywhere. I tested removing the equivalent setting on the Keycloak side and it broke the authentication. I also tried removing SSO and it also failed. I need to investigate more because on different multisite installations I have not the same behavior for the same SAML settings on Discourse and Keycloak. Is it possible that there’s some bad interaction with SSO? E.g., one authentication mode taking over the other at some point?

We never tried the “discourse-saml” plugin in a multi-site. The plugin may not be compatible with it. I won’t recommend you to enable SAML plugin for multiple sites at the same time. Set all the environment variables in app.yml file.

1 Like