I am currently setting up a small test environment and wanted to do my authentication via SSO with SAML in Keycloak. I have configured everything and it works as expected, but I always get an error when I activate the encryption in Keycloak (“Encrypt assertions”). Does IdentityIQ not support this or do I have to configure this somehow within IIQ? Unfortunately, I can hardly find any documentation on this.
I would also be interested in whether I can also perform SSO with OIDC or Kerberos, and if so, whether you have any tips or instructions for this? I am grateful for any help!
And then my last question, there is also Rule-based SSO in SailPoint, unfortunately I have not yet fully understood when to use this, so what use cases are there where you have to use Rule-based SSO and are there already any templates or examples?
Thank you already for your help!
Best regards,
Kevin
@KevinApp -This is a very interesting topic you’re working on. You mentioned that it’s functioning as expected—could you please confirm whether SailPoint is being used as the Service Provider (SP) or the Identity Provider (IdP) in your setup? Also, if possible, kindly share the SAML tracer log for further analysis. I’m genuinely interested to fix your problem ?
SAML support guide & SSO Document for your reference:
IdentityIQ supports specifying both types of SSO in the same installation’s login configuration. The order in which they are consulted during user authentication will be determined as follows:
If an ssoAuthenticators attribute is specified in the SystemConfiguration object, it will specify the configured SSO options in a CSV list, and the options will be checked in the order they are specified
If that attribute is not present, SAML SSO will be used first and then rule-based SSO
@KevinApp looks like you have some encryption error. did you exected “IQ Service key rotation” task from IIQ ? this is needed first time to create IQServiveCOnfig.dat file in C:\IQService folder in IQService box.
2025-06-15 14:53:20,759 ERROR [org.keycloak.protocol.saml.SamlService] (executor-thread-146) request validation failed: org.keycloak.common.VerificationException: SigAlg was null
at org.keycloak.protocol.saml.SamlProtocolUtils.verifyRedirectSignature(SamlProtocolUtils.java:155)
at org.keycloak.protocol.saml.SamlProtocolUtils.verifyRedirectSignature(SamlProtocolUtils.java:145)
at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.verifySignature(SamlService.java:839)
at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:318)
at org.keycloak.protocol.saml.SamlService$BindingProtocol.execute(SamlService.java:723)
at org.keycloak.protocol.saml.SamlService.redirectBinding(SamlService.java:891)
at org.keycloak.protocol.saml.SamlService$quarkusrestinvoker$redirectBinding_27a6026811cb340daf60c346192746e5538eb7a0.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:638)
at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2675)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2654)
at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1627)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1594)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:1583)
2025-06-15 14:53:20,760 WARN [org.keycloak.events] (executor-thread-146) type="LOGIN_ERROR", realmId="ae750370-92eb-4a0f-9319-120a939eb698", realmName="ArmoredIdentity", clientId="null", userId="null", ipAddress="xxx.xxx.xxx.xxx", error="invalid_signature"
If i deactivate these options, everything works fine.
