[keycloak-user] ADFS integration issue
Hynek Mlnarik
hmlnarik at redhat.com
Wed Mar 29 09:39:31 EDT 2017
Thanks, that's interesting. I've updated the blog post with your finding.
--Hynek
On Wed, Mar 29, 2017 at 2:55 PM, Dmitry Korchemkin <moon3854 at gmail.com> wrote:
> Ok, so i double checked this behaviour and i'm indeed providing correct link
> to the ADFS (directly from browser with xml opened). What's interesting, is
> that while this error appears in Keycloak, ADFS seems to be importing
> everything just fine, so it doesn't look like it's affecting anything.
>
> It looks like ADFS is first checking whether the user provided a link to
> another ADFS (but maybe omitted the /federationmetadata/* part) and when it
> fails to find anything there it uses the link as provided. I can back this
> claim with a little observation - when given a fake url, it generates two
> errors within Keycloak instead of just one for the correct url:
>
> 1) Exception handling request to
> /auth/realms/saml-broker-authentication-realm/broker/adfs-localll/endpoint/descriptor/FederationMetadata/2007-06/FederationMetadata.xml:
> org.jboss.resteasy.spi.UnhandledException:
> org.keycloak.broker.provider.IdentityBrokerException: Identity Provider
> [adfs-localll] not found.
>
> 2) Exception handling request to
> /auth/realms/saml-broker-authentication-realm/broker/adfs-localll/endpoint/descriptor:
> org.jboss.resteasy.spi.UnhandledException:
> org.keycloak.broker.provider.IdentityBrokerException: Identity Provider
> [adfs-localll] not found.
>
> As you can see, first it fails to import xml from "ADFS-style" path, then it
> fails to get xml from the link i actually gave it. Not sure why Microsoft
> added this bit of behaviour, but it seems mostly harmless so far.
>
> 2017-03-28 22:01 GMT+03:00 Hynek Mlnarik <hmlnarik at redhat.com>:
>>
>> It is the other way round - as RESTEASY003210 was found in keycloak's
>> log, something (maybe ADFS) attempted to access the nonexistent URL in
>> Keycloak.
>>
>> I don't know about W2016 as I don't have it anywhere so I cannot check
>> whether import does not try ADFS-like descriptor url (that part after
>> .../descriptor/) automatically. AFAIK, W2012 does not do that, at
>> least I've not been able to reproduce this behaviour. I'm no ADFS
>> expert though.
>>
>> Did you enter exactly
>>
>> "https://10.0.2.2:8443/auth/realms/saml-broker-authentication-realm/broker/saml/endpoint/descriptor"
>> for the import URL in relying trust party setup? Can you please double
>> check? If the same issue happens again, I'll update the blog with a
>> new "common issue".
>>
>> Thanks,
>>
>> --Hynek
>>
>>
>> On Tue, Mar 28, 2017 at 4:44 PM, Marc Boorshtein
>> <marc.boorshtein at tremolosecurity.com> wrote:
>> >> 15:06:57,850 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
>> >> task-3) RESTEASY002010: Failed to execute:
>> >> javax.ws.rs.NotFoundException:
>> >> RESTEASY003210: Could not find resource for full path:
>> >>
>> >> https://10.0.2.2:8443/auth/realms/saml-broker-authentication-realm/broker/saml/endpoint/descriptor/FederationMetadata/2007-06/FederationMetadata.xml
>> >>
>> >
>> > looks like keycloak is trying to load adfs' metadata so use
>> >
>> > https://adfs.server.com/FederationMetadata/2007-06/FederationMetadata.xml
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> --
>>
>> --Hynek
>
>
--
--Hynek
More information about the keycloak-user
mailing list