[keycloak-user] Delegating SAML 2.0 Authentication to ADFS on Windows Server 2012

[Peter Donald]

Hi,

I am trying to use Keycloak 1.4.0.Final to delegate authentication to
ADFS and I am having trouble getting the combination to work. I have
tried to locate the information in manuals/docs but can't seem to
figure it out.

I tried to get keycloak to load the configuration for ADFS by using
the "Import External IDP Config" section when creating the identity
provider. Keycloak claimed success but populated none of the fields so
I manually entered the data.

The SSL/communication keys of both sides seem fine. I am assuming that
I have populated encryption/signature keys appropriately.

Then grabbed the exported data from the export tab. This is not valid
according to ADFS but if I add an xmlns to the top level element I can
load the file into ADFS and it seems to load most of the file but
ultimately the back and forth communication does not seem to work. I
had to manually enter a bunch of data into ADFS - mostly to add
endpoints that keycloak uses but does not declare?

Even then I get problems. Assuming I have "Want AuthnRequests Signed"
set to true I get an error like

MSIS7000: The sign in request is not compliant to the WS-Federation
language for web browser clients or the SAML 2.0 protocol WebSSO
profile.

If I set "Want AuthnRequests Signed" set to false then keycloak will
fail with NullPointer exception as ADFS will return a message with no
assertions.

So is delegating to ADFS supported or expected to work? Is there a
manual/blog/mailing list post I should read. Happy to RTFM :)

-- 
Cheers,

Peter Donald