[keycloak-user] Keycloak / Azure AD Federation
Jonas Weismueller
jw at blue-yonder.com
Fri Aug 25 10:24:40 EDT 2017
Hi,
I already read about a similar statement. But as far as I understand it
is optional by specification and thus it would be nice if it is at least
configurable to turn it on/off.
I also can try to convince Microsoft to change their behavior, but I
don't know if it will be possible ;)
Cheers Jonas
On 25.08.17 15:30, Bill Burke wrote:
> destination is validated to be the same URL the SAML request was posted
> to. This is a security check to protect against replay attacks.
>
>
> On 8/25/17 5:53 AM, Jonas Weismueller wrote:
>> Hi,
>> any further information needed? I would like to get KC <-> Azure AD to
>> be connected. Otherwise we are sadly being obliged to look after another
>> IdP solution :(
>>
>> Cheers Jonas
>>
>> On 22.08.17 14:27, Jonas Weismueller wrote:
>>> Hi,
>>>
>>> we configured AzureAD to use our keycloak instance, like this:
>>>
>>>
>>>
>>> $cer="$our_cert_string"
>>>
>>> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
>>>
>>> $dom="test.domain.cloud"
>>>
>>> Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated
>>> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
>>> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
>>>
>>>
>>>
>>> When I know try to login on the azure portal, I get successfully
>>> redirected
>>> to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
>>> I get the following error from keycloak:
>>>
>>> 2017-08-22 11:49:47,735 DEBUG
>>> [org.hibernate.internal.util.EntityPrinter] (default task-3)
>>> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
>>> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
>>> sessionId=null, time=1503402587482, error=invalid_authn_request,
>>> type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}}
>>>
>>>
>>>
>>> The SAML AuthnRequest sent by M$ looks as follows:
>>>
>>> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
>>> (default task-3) <samlp:AuthnRequest
>>> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
>>> IssueInstant="2017-08-22T11:47:46.793Z"
>>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
>>> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
>>>
>>>
>>>
>>> What we can see, is that the destination (optional?) attribute is
>>> missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
>>>
>>>
>>>
>>> Why is keycloak doing some strict checking about the optional
>>> destination parameter?
>>>
>>>
>>>
>>> Cheers Jonas
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list