[keycloak-user] problem setting up identity brokering from Keycloak to ADFS

Glenn Campbell campbellg at teds.com
Wed Mar 8 08:01:20 EST 2017 

(re-sent, forgot to include keycloak-user)

I'm using Keycloak 2.5.0. And I think my ADFS is 2.1.

It appears that I don't have permission to view KEYCLOAK-3932 so I'm not
sure of the proper way to turn on SAML logging. I turned on debug logging
for "org.keycloak.saml" and "org.keycloak.broker.saml" but what I got in my
log file wasn't very helpful. It looked like most of the info was encrypted
and/or hashed.

However, I think I have a working configuration now. I need to test more to
be sure but it looks promising so far. In my frustration I changed several
things but I think the changes that made a difference were as follows:

1) Self-signed Certificates
The self-signed certificates I'm using in my test environment may have been
getting in my way. Or rather the various machines in my test environment
not trusting the self-signed certificates of the other machines. It is
probably unnecessary but I set all machines in my test environment to trust
the certificates from all other machines. I know client machines will need
to trust the certificates from both my Keycloak machine and my SAML machine
but do the Keycloak and SAML machines need to trust the certificates from
each other?

2) NameID Policy Format
I tried your suggestion of using "Windows Domain Qualified Name" but that
didn't seem to work. I set it to "Unspecified" and that didn't work either
until...

3) ADFS Relying Party Claim mapping
I added a Claim mapping on the Relying Party for Keycloak to map
"SAM-Account-Name" to "Name ID". This in conjunction with #2 seems to have
let things start working.

Being an ADFS novice (or SAML novice in general) I'm not clear on why the
above items make everything work. Can you provide any information regarding
why the above items are important? I'm happy when things work but I'm even
happier when I understand why they work.

Thanks again for all of your help.


On Tue, Mar 7, 2017 at 4:26 PM, Glenn Campbell <campbellg at teds.com> wrote:

> I'm using Keycloak 2.5.0. And I think my ADFS is 2.1.
>
> It appears that I don't have permission to view KEYCLOAK-3932 so I'm not
> sure of the proper way to turn on SAML logging. I turned on debug logging
> for "org.keycloak.saml" and "org.keycloak.broker.saml" but what I got in my
> log file wasn't very helpful. It looked like most of the info was encrypted
> and/or hashed.
>
> However, I think I have a working configuration now. I need to test more
> to be sure but it looks promising so far. In my frustration I changed
> several things but I think the changes that made a difference were as
> follows:
>
> 1) Self-signed Certificates
> The self-signed certificates I'm using in my test environment may have
> been getting in my way. Or rather the various machines in my test
> environment not trusting the self-signed certificates of the other
> machines. It is probably unnecessary but I set all machines in my test
> environment to trust the certificates from all other machines. I know
> client machines will need to trust the certificates from both my Keycloak
> machine and my SAML machine but do the Keycloak and SAML machines need to
> trust the certificates from each other?
>
> 2) NameID Policy Format
> I tried your suggestion of using "Windows Domain Qualified Name" but that
> didn't seem to work. I set it to "Unspecified" and that didn't work either
> until...
>
> 3) ADFS Relying Party Claim mapping
> I added a Claim mapping on the Relying Party for Keycloak to map
> "SAM-Account-Name" to "Name ID". This in conjunction with #2 seems to have
> let things start working.
>
> Being an ADFS novice (or SAML novice in general) I'm not clear on why the
> above items make everything work. Can you provide any information regarding
> why the above items are important? I'm happy when things work but I'm even
> happier when I understand why they work.
>
> Thanks again for all of your help.
> Glenn
>
> On Tue, Mar 7, 2017 at 4:58 AM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:
>
>> What is your Keycloak and ADFS versions? What are the responses you
>> receive from ADFS? Please enable logging of SAML messages to see them (see
>> [1] how to do that).
>>
>> A wild guess: does setting the "NameID Policy Format" [2] to "Windows
>> Domain Qualified Name" help?
>>
>> --Hynek
>>
>> [1] https://issues.jboss.org/browse/KEYCLOAK-3932?focusedComment
>> Id=13336560&page=com.atlassian.jira.plugin.system.issuetabpa
>> nels%3Acomment-tabpanel#comment-13336560
>> [2] https://keycloak.gitbooks.io/server-adminstration-guide/cont
>> ent/topics/identity-broker/saml.html
>>
>> On 03/03/2017 09:49 PM, Glenn Campbell wrote:
>>
>>> Thank you for your suggestions. Making those changes seems to have
>>> solved that problem. I don't think I would have ever figured that out on my
>>> own.
>>>
>>> Now I'm on to the next problem. When I enter the login credentials on
>>> the SAML IdP login page I get an error in Keycloak and the log file has a
>>> "Could not process response from SAML identity provider" error message with
>>> a root cause of "No assertion from response".
>>>
>>> Do you have any suggestions on what I need to do to fix this problem?
>>>
>>> On Fri, Mar 3, 2017 at 3:34 AM, Hynek Mlnarik <hmlnarik at redhat.com
>>> <mailto:hmlnarik at redhat.com>> wrote:
>>>
>>>     Actually https matters, ADFS had been rejecting any SAML
>>> communication
>>>     with keycloak for me until https was enabled. Also for ADFS, there is
>>>     a special settings for KeyInfo element that needs to be set to
>>>     CERT_SUBJECT in SAML Signature Key Name option of SAML Identity
>>>     Provider settings [1].
>>>
>>>     [1] https://keycloak.gitbooks.io/documentation/server_admin/topi
>>> cs/identity-broker/saml.html <https://keycloak.gitbooks.io/
>>> documentation/server_admin/topics/identity-broker/saml.html>
>>>
>>>
>>>     On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell <campbellg at teds.com
>>> <mailto:campbellg at teds.com>> wrote:
>>>     > What is the correct way to set up identity brokering from Keycloak
>>> to ADFS?
>>>     > I’m new to ADFS so I suspect I’ve configured something incorrectly
>>> there.
>>>     >
>>>     > Here’s what I’ve done so far:
>>>     >
>>>     > 1) Installed ADFS.
>>>     > 2) Opened ADFS Management.
>>>     > 3) Walked through the ADFS Configuration Wizard.
>>>     > At one point in the process it asked which certificate I wanted to
>>> use. I
>>>     > didn’t have one so I went into IIS Manager and created a
>>> self-signed
>>>     > certificate. Then I came back to the ADFS Configuration Wizard and
>>> selected
>>>     > the newly created certificate.
>>>     > At the end of the process there was a list of configuration items
>>> that had
>>>     > been performed and they all had green checkmarks by them.
>>>     > Clicked Close.
>>>     >
>>>     > 4) At this point ADFS Management said I needed to configure a
>>> Trusted
>>>     > Relying Party so I went to Keycloak to start setting up that side
>>> of things.
>>>     > 5) Since the certificate used by ADFS is self-signed I exported it
>>> from IIS
>>>     > and imported it into the Wildfly jssecerts where Keycloak is
>>> running and
>>>     > restarted Wildfly/Keycloak.
>>>     > 6) Saved the ADFS FederationMetadata.xml via the url https://<adfs
>>>     > server>/FederationMetadata/2007-06/FederationMetadata.xml
>>>     > 7) In Keycloak admin console, on the Identity Providers page I
>>> chose “Add
>>>     > provider… SAML v2.0”
>>>     > 8) Entered an alias for the new IdP then in “Import from file ->
>>> Select
>>>     > File” I chose the FederationMetadata.xml that I acquired from the
>>> ADFS
>>>     > server.
>>>     > 9) Saved the IdP configuration.
>>>     > 10) Went to the Export tab of the newly created IdP and downloaded
>>> the xml
>>>     > config file.
>>>     >
>>>     > 11) At this point I went back to ADFS Management and followed the
>>> steps to
>>>     > create a Trusted Relying Party, choosing to import data about the
>>> relying
>>>     > party from the xml file exported from Keycloak.
>>>     > 12) For the rest of the Relying Party configuration I accepted the
>>> defaults.
>>>     >
>>>     > When I go to the url for my application I’m redirected to the
>>> Keycloak
>>>     > login screen where I select the Identity Provider I configured. I
>>> get a
>>>     > security certificate warning since the certificate from the server
>>> is
>>>     > self-signed but I choose to continue despite the warning. Then I
>>> get an
>>>     > error page saying there was a problem accessing the site. I don’t
>>> get the
>>>     > ADFS page where I would enter my login credentials.
>>>     >
>>>     > I don’t know if it matters but my application and Keycloak
>>> currently use
>>>     > http rather than https.
>>>     >
>>>     > Any help would be greatly appreciated.
>>>     > Thanks in advance,
>>>     > Glenn
>>>     > _______________________________________________
>>>     > keycloak-user mailing list
>>>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jb
>>> oss.org>
>>>     > https://lists.jboss.org/mailman/listinfo/keycloak-user <
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>>
>>>
>>>     --
>>>
>>>     --Hynek
>>>
>>>
>>>
>

More information about the keycloak-user mailing list