[keycloak-user] Keycloak / Azure AD Federation

Hynek Mlnarik hmlnarik at redhat.com
Mon Aug 28 02:22:43 EDT 2017 

Destination is mandatory for signed SAML messages in Redirect and POST
bindings [1] and optional for unsigned ones [2]. It is prevention for
replay attacks for messages whose integrity can be checked. Hence to
comply with SAML spec, we have to allow the destination to be unset
when signature is not checked.

[1] https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf,
lines 661, 843
[2] https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf,
line 1477

On Fri, Aug 25, 2017 at 3:30 PM, Bill Burke <bburke at redhat.com> wrote:
> destination is validated to be the same URL the SAML request was posted
> to.  This is a security check to protect against replay attacks.
>
>
> On 8/25/17 5:53 AM, Jonas Weismueller wrote:
>> Hi,
>> any further information needed? I would like to get KC <-> Azure AD to
>> be connected. Otherwise we are sadly being obliged to look after another
>> IdP solution :(
>>
>> Cheers Jonas
>>
>> On 22.08.17 14:27, Jonas Weismueller wrote:
>>> Hi,
>>>
>>> we configured AzureAD to use our keycloak instance, like this:
>>>
>>>
>>>
>>> $cer="$our_cert_string"
>>>
>>> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
>>>
>>> $dom="test.domain.cloud"
>>>
>>> Set-MsolDomainAuthentication -DomainName $dom  -Authentication Federated
>>> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
>>> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
>>>
>>>
>>>
>>> When I know try to login on the azure portal, I get successfully
>>> redirected
>>> to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
>>> I get the following error from keycloak:
>>>
>>> 2017-08-22 11:49:47,735 DEBUG
>>> [org.hibernate.internal.util.EntityPrinter] (default task-3)
>>> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
>>> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
>>> sessionId=null, time=1503402587482, error=invalid_authn_request,
>>> type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}}
>>>
>>>
>>>
>>> The SAML AuthnRequest sent by M$ looks as follows:
>>>
>>> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
>>> (default task-3) <samlp:AuthnRequest
>>> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
>>> IssueInstant="2017-08-22T11:47:46.793Z"
>>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
>>> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
>>>
>>>
>>>
>>> What we can see, is that the destination (optional?) attribute is
>>> missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
>>>
>>>
>>>
>>> Why is keycloak doing some strict checking about the optional
>>> destination parameter?
>>>
>>>
>>>
>>> Cheers Jonas
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

More information about the keycloak-user mailing list