2:49 p.m.
Thank you for your suggestions. Making those changes seems to have solved
that problem. I don't think I would have ever figured that out on my own.
Now I'm on to the next problem. When I enter the login credentials on the
SAML IdP login page I get an error in Keycloak and the log file has a
"Could not process response from SAML identity provider" error message with
a root cause of "No assertion from response".
Do you have any suggestions on what I need to do to fix this problem?
On Fri, Mar 3, 2017 at 3:34 AM, Hynek Mlnarik <hmlnarik(a)redhat.com> wrote:
Actually https matters, ADFS had been rejecting any SAML
communication
with keycloak for me until https was enabled. Also for ADFS, there is
a special settings for KeyInfo element that needs to be set to
CERT_SUBJECT in SAML Signature Key Name option of SAML Identity
Provider settings [1].
[1] https://keycloak.gitbooks.io/documentation/server_admin/
topics/identity-broker/saml.html
On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell <campbellg(a)teds.com>
wrote:
> What is the correct way to set up identity brokering from Keycloak to
ADFS?
> I’m new to ADFS so I suspect I’ve configured something incorrectly there.
>
> Here’s what I’ve done so far:
>
> 1) Installed ADFS.
> 2) Opened ADFS Management.
> 3) Walked through the ADFS Configuration Wizard.
> At one point in the process it asked which certificate I wanted to use. I
> didn’t have one so I went into IIS Manager and created a self-signed
> certificate. Then I came back to the ADFS Configuration Wizard and
selected
> the newly created certificate.
> At the end of the process there was a list of configuration items that
had
> been performed and they all had green checkmarks by them.
> Clicked Close.
>
> 4) At this point ADFS Management said I needed to configure a Trusted
> Relying Party so I went to Keycloak to start setting up that side of
things.
> 5) Since the certificate used by ADFS is self-signed I exported it from
IIS
> and imported it into the Wildfly jssecerts where Keycloak is running and
> restarted Wildfly/Keycloak.
> 6) Saved the ADFS FederationMetadata.xml via the url https://<adfs
> server>/FederationMetadata/2007-06/FederationMetadata.xml
> 7) In Keycloak admin console, on the Identity Providers page I chose “Add
> provider… SAML v2.0”
> 8) Entered an alias for the new IdP then in “Import from file -> Select
> File” I chose the FederationMetadata.xml that I acquired from the ADFS
> server.
> 9) Saved the IdP configuration.
> 10) Went to the Export tab of the newly created IdP and downloaded the
xml
> config file.
>
> 11) At this point I went back to ADFS Management and followed the steps
to
> create a Trusted Relying Party, choosing to import data about the relying
> party from the xml file exported from Keycloak.
> 12) For the rest of the Relying Party configuration I accepted the
defaults.
>
> When I go to the url for my application I’m redirected to the Keycloak
> login screen where I select the Identity Provider I configured. I get a
> security certificate warning since the certificate from the server is
> self-signed but I choose to continue despite the warning. Then I get an
> error page saying there was a problem accessing the site. I don’t get the
> ADFS page where I would enter my login credentials.
>
> I don’t know if it matters but my application and Keycloak currently use
> http rather than https.
>
> Any help would be greatly appreciated.
> Thanks in advance,
> Glenn
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek