6:48 p.m.
Hi Suleyman,
You're right, the contents of the Validating X509 Certificates box is
invalid, your stacktrace tells that unambiguously. The field is pre-
populated once you import FederationMetadata.xml, and you shouldn't
change it afterwards.
To avoid recreating the whole IdP, open your FederationMetadata.xml,
find the <ds:X509Certificate> element and copy its value to the box
verbatim.
Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote:
Hi,
I have a "Uncaught server error:
org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML
identity provider" when get response from MS ADFS server. The route cause of the
error is Caused by: java.io.IOException: Short read of DER length. So I suspect that
Validating X509 Certificates input box doesn't work as expected in Keycloak:
"Certificates must be in PEM format and multiple certificates can be entered by comma
(,) ". I have to use Public key and the certificates of the realm separated by comma
but I get 500 - Internal Server Error from MS ADFS server and the error in Keycloak
(Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester
error. Any idea of how I can proceed?
Details
When I use dummy IDP of Keycloak server, I use
https://myapplicationurl/auth/realms/springboot-quickstart/protocol/saml as SSO url,
"email" as "NameID Policy Format" (Attached file:
dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that
blog http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html and use
the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything
right. Keycloak endpoints, SSL keystore and truststore files are at the right locations
and places.
Regards,
Suleyman
________________________________
This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise confidential information. If you have received it in error,
please notify the sender immediately and delete the original. Any other use of the e-mail
by you is prohibited. Where allowed by local law, electronic communications with Accenture
and its affiliates, including e-mail and instant messaging (including content), may be
scanned by our systems for the purposes of information security and assessment of internal
compliance with Accenture policy. Your privacy is important to us. Accenture uses your
personal data only in compliance with data protection laws. For further information on how
Accenture processes your personal data, please see our privacy statement at
https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________
www.accenture.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user