SAML Metadata URL did not connect and pull data successfully

[jianlinz]

Summary

The SAML integrated Keycloak Identity Provider Metadata URL authentication fails

Steps to reproduce

• Configure keycloak and mattermost based on the following addresses

• get keycloak /realm-settings->SAML 2.0 Identity Provider Metadata URL

• mattermost/admin_console/authentication/saml ->Identity Provider Metadata URL-> SAML 2.0 Identity Provider Metadata URL

• click button 'Get SAML Metadata From IdP'

• show error message - > SAML Metadata URL did not connect and pull data successfully

• mattermost log

{"timestamp":"2024-05-20 15:16:16.491 Z","level":"debug","msg":"Failed to obtain metadata from Identity Provider URL.","caller":"web/context.go:113","path":"/api/v4/saml/metadatafromidp","request_id":"fenypptth3ytbn4gnw3b7bmjxw","ip_addr":"172.31.0.4","user_id":"ir6wr7fpo38ytyhuo8xrw7uy9y","method":"POST","err_where":"getSamlMetadataFromIdp","http_code":400,"error":"getSamlMetadataFromIdp: Failed to obtain metadata from Identity Provider URL., FetchSamlMetadataFromIdp: Could not read the response received from the Identity Provider., Get \"https://***/realms/mattermost/protocol/saml/descriptor\": address forbidden, you may need to set AllowedUntrustedInternalConnections to allow an integration access to your internal network"}

Expected behavior

successfully

Observed behavior (that appears unintentional)

SAML Metadata URL did not connect and pull data successfully

Possible fixes

Since these Settings are the most basic Settings, can you tell me if I did something wrong and I understand that success should be displayed at least in this step.
The SAML 2.0 Identity Provider Metadata URL is accessible from a browser.

[amyblais]

@jianlinz What Mattermost server version are you on?

[jianlinz]

@jianlinz What Mattermost server version are you on?
Hi
mattermost 8.1.9
keycloak 22.0.5

Thanks

[amyblais]

Thank you, given that v8.1 has gone out of support on May 15th, would you be open to upgrading to v9.5 or a newer version to see if the issue still reproduces?

[jianlinz]

Thank you, given that v8.1 has gone out of support on May 15th, would you be open to upgrading to v9.5 or a newer version to see if the issue still reproduces?

ok ，I'll switch to version 9.8 and try it out

[jianlinz]

mattermost 9.8
keycloak 22.0.5
Still reporting the same anomaly

I also tried to integrate keycloak with OpenId.
The exception is -> tls: failed to verify certificate: x509: certificate signed by unknown authority
I confirm that all my certificates are tls certificates issued by ca

I also tried to integrate openId with gitlab
The exception is -> tls: failed to verify certificate: x509: certificate signed by unknown authority

integrate openId with keycloak4.5
The exception is -> invalid character '<' looking for beginning of value

Can you tell me what I did wrong？
@amyblais

[amyblais]

Would you be open to posting about this on one of our troubleshooting forums, either at https://community.mattermost.com/core/channels/peer-to-peer-help or at https://forum.mattermost.com/?