[keycloak-user] problem setting up identity brokering from Keycloak to ADFS

Fri Mar 3 15:49:09 EST 2017

Thank you for your suggestions. Making those changes seems to have solved
that problem. I don't think I would have ever figured that out on my own.

Now I'm on to the next problem. When I enter the login credentials on the
SAML IdP login page I get an error in Keycloak and the log file has a
"Could not process response from SAML identity provider" error message with
a root cause of "No assertion from response".

Do you have any suggestions on what I need to do to fix this problem?

On Fri, Mar 3, 2017 at 3:34 AM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:

> Actually https matters, ADFS had been rejecting any SAML communication
> with keycloak for me until https was enabled. Also for ADFS, there is
> a special settings for KeyInfo element that needs to be set to
> CERT_SUBJECT in SAML Signature Key Name option of SAML Identity
> Provider settings [1].
>
> [1] https://keycloak.gitbooks.io/documentation/server_admin/
> topics/identity-broker/saml.html
>
> On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell <campbellg at teds.com>
> wrote:
> > What is the correct way to set up identity brokering from Keycloak to
> ADFS?
> > I’m new to ADFS so I suspect I’ve configured something incorrectly there.
> >
> > Here’s what I’ve done so far:
> >
> > 1) Installed ADFS.
> > 2) Opened ADFS Management.
> > 3) Walked through the ADFS Configuration Wizard.
> > At one point in the process it asked which certificate I wanted to use. I
> > didn’t have one so I went into IIS Manager and created a self-signed
> > certificate. Then I came back to the ADFS Configuration Wizard and
> selected
> > the newly created certificate.
> > At the end of the process there was a list of configuration items that
> had
> > been performed and they all had green checkmarks by them.
> > Clicked Close.
> >
> > 4) At this point ADFS Management said I needed to configure a Trusted
> > Relying Party so I went to Keycloak to start setting up that side of
> things.
> > 5) Since the certificate used by ADFS is self-signed I exported it from
> IIS
> > and imported it into the Wildfly jssecerts where Keycloak is running and
> > restarted Wildfly/Keycloak.
> > 6) Saved the ADFS FederationMetadata.xml via the url https://<adfs
> > server>/FederationMetadata/2007-06/FederationMetadata.xml
> > 7) In Keycloak admin console, on the Identity Providers page I chose “Add
> > provider… SAML v2.0”
> > 8) Entered an alias for the new IdP then in “Import from file -> Select
> > File” I chose the FederationMetadata.xml that I acquired from the ADFS
> > server.
> > 9) Saved the IdP configuration.
> > 10) Went to the Export tab of the newly created IdP and downloaded the
> xml
> > config file.
> >
> > 11) At this point I went back to ADFS Management and followed the steps
> to
> > create a Trusted Relying Party, choosing to import data about the relying
> > party from the xml file exported from Keycloak.
> > 12) For the rest of the Relying Party configuration I accepted the
> defaults.
> >
> > When I go to the url for my application I’m redirected to the Keycloak
> > login screen where I select the Identity Provider I configured. I get a
> > security certificate warning since the certificate from the server is
> > self-signed but I choose to continue despite the warning. Then I get an
> > error page saying there was a problem accessing the site. I don’t get the
> > ADFS page where I would enter my login credentials.
> >
> > I don’t know if it matters but my application and Keycloak currently use
> > http rather than https.
> >
> > Any help would be greatly appreciated.
> > Thanks in advance,
> > Glenn
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek
>