[keycloak-user] problem setting up identity brokering from Keycloak to ADFS

Hynek Mlnarik hmlnarik at redhat.com
Fri Mar 3 03:34:08 EST 2017 

Actually https matters, ADFS had been rejecting any SAML communication
with keycloak for me until https was enabled. Also for ADFS, there is
a special settings for KeyInfo element that needs to be set to
CERT_SUBJECT in SAML Signature Key Name option of SAML Identity
Provider settings [1].

[1] https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-broker/saml.html

On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell <campbellg at teds.com> wrote:
> What is the correct way to set up identity brokering from Keycloak to ADFS?
> I’m new to ADFS so I suspect I’ve configured something incorrectly there.
>
> Here’s what I’ve done so far:
>
> 1) Installed ADFS.
> 2) Opened ADFS Management.
> 3) Walked through the ADFS Configuration Wizard.
> At one point in the process it asked which certificate I wanted to use. I
> didn’t have one so I went into IIS Manager and created a self-signed
> certificate. Then I came back to the ADFS Configuration Wizard and selected
> the newly created certificate.
> At the end of the process there was a list of configuration items that had
> been performed and they all had green checkmarks by them.
> Clicked Close.
>
> 4) At this point ADFS Management said I needed to configure a Trusted
> Relying Party so I went to Keycloak to start setting up that side of things.
> 5) Since the certificate used by ADFS is self-signed I exported it from IIS
> and imported it into the Wildfly jssecerts where Keycloak is running and
> restarted Wildfly/Keycloak.
> 6) Saved the ADFS FederationMetadata.xml via the url https://<adfs
> server>/FederationMetadata/2007-06/FederationMetadata.xml
> 7) In Keycloak admin console, on the Identity Providers page I chose “Add
> provider… SAML v2.0”
> 8) Entered an alias for the new IdP then in “Import from file -> Select
> File” I chose the FederationMetadata.xml that I acquired from the ADFS
> server.
> 9) Saved the IdP configuration.
> 10) Went to the Export tab of the newly created IdP and downloaded the xml
> config file.
>
> 11) At this point I went back to ADFS Management and followed the steps to
> create a Trusted Relying Party, choosing to import data about the relying
> party from the xml file exported from Keycloak.
> 12) For the rest of the Relying Party configuration I accepted the defaults.
>
> When I go to the url for my application I’m redirected to the Keycloak
> login screen where I select the Identity Provider I configured. I get a
> security certificate warning since the certificate from the server is
> self-signed but I choose to continue despite the warning. Then I get an
> error page saying there was a problem accessing the site. I don’t get the
> ADFS page where I would enter my login credentials.
>
> I don’t know if it matters but my application and Keycloak currently use
> http rather than https.
>
> Any help would be greatly appreciated.
> Thanks in advance,
> Glenn
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

More information about the keycloak-user mailing list