keycloak-httpd-client-install will permit creating a non-working configuration if mellon-protected-locations are not equal to or ancestors of mellon-root. The relationship between mellon-root and mellon-protected-locations should be validated.

This error was evident in this bug #1447770 which ran keycloak-httpd-client-install this way:

[root@sp1 ~]# keycloak-httpd-client-install   \
      --client-originate-method registration \
      --keycloak-server-url https://idp.keycloak.test:8443 \
      --keycloak-admin-username admin \
      --keycloak-admin-password Secret1230 \
      --app-name testapp \
      --keycloak-realm test_realm \
      --mellon-protected-locations "/private" \
      --mellon-root mellon_root \
      --force

It produced this run time error message in the error_log:

"Error adding IdP to lasso server object. Please verify the following configuration directives: MellonIdPMetadataFile and MellonIdPPublicKeyFile."

And a server 500 error during access to the protected location.

The fundamental problem is there were no IdP's defined for the protected location.

The error message is cryptic and misleading, it implies there is a problem loading the IdP metadata, e.g. file access permissions, bad XML etc. when in fact the problem is there was no metadata to load, not that the metadata file was the problem. We need to check the count of IdP metadata and emit a different message if no IdP metadata is defined. The reason this is confusing is because the IdP metadata often is defined, it's just not available to the protected location. Also there probably should be a better error than server 500, is there an HTTP error for server misconfiguration? If not then the configuration should be validated at mellon load time so the server fails to start rather than a lazy load which permits the server to start with a non-functioning configuration.