[keycloak-user] SAML IdP and ADFS trust

Ben Redahan ben_redahan at trimble.com
Wed Nov 8 06:06:44 EST 2017

Hi all,

I'm configuring a SAML Identity Provider in Keycloak to allow single sign
on with a customer ADFS server. I'm following this guide:

I'm working in a development environment with a test ADFS server using a
self-signed Service Communications certificate (I had to install and
configure this myself so I could have gone wrong here). Keycloak is running
on an AWS instance behind a load balancer, incoming https is handled by
I've configured the Relying Party Trust on ADFS and the
FederationMetadata.xml in the Keycloak identity provider.

During testing I deployed a Keycloak image without a truststore or Service
Communications certificate, but the redirect still works. When I click the
SSO button from the Keycloak login page I am redirected to the ADFS login
page, though from my understanding the outbound https request to the ADFS
endpoint should fail, since Keycloak doesn't trust the ADFS server.
Shouldn't the first redirect fail if there's no truststore or SSL

I'm a novice at this so there's almost certainly a gap in my understanding,
but I've searched through all the documentation I can find and can't make
sense of it. Can anyone help?




*Ben Redahan | Software Engineer*

*Phone **+353 1 539 8744 <%2B353%201%20539%208744>*


*www.trimble.com/rail-assets* <http://www.trimble.com/rail-assets>*| *
*www.nexala.com* <http://www.nexala.com/>* | **www.trimble.com/rail*

*Newsletter Sign Up*
| **Request
Demo* <http://infogeospatial.trimble.com/rail-asset-newsletter-signup.html>*
| **LinkedIn <https://www.linkedin.com/company/trimble-railway-solutions>*

More information about the keycloak-user mailing list