Hi,
Is it possible to configure an OpenID connect client for authentication,
using Keycloak as a broker to a SAML2 identity provider (ADFS)?
I am trying to do so, and after ADFS successful authentication, Keycloak
always displays the login form.
Thanks,
2017-12-04 19:16:08,150 DEBUG
[org.keycloak.services.resources.IdentityBrokerService] (default task-31)
Authorization code is valid.
2017-12-04 19:16:08,152 DEBUG [org.keycloak.saml.BaseSAML2BindingBuilder]
(default task-31) saml document: <samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
AssertionConsumerServiceURL="
https://localhost:8061/auth/realms/master/broker/adfs-idp-alias/endpoint&...
Destination="https://adfs/adfs/ls/" ForceAuthn="false"
ID="ID_ad013a22-7c3b-4aa9-a8f9-3fcf6a7cb96b" IsPassive="false"
IssueInstant="2017-12-04T19:16:08.151Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://localhost:8061/auth/realms/master</saml:Issuer><samlp:Na...
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
2017-12-04 19:16:08,153 DEBUG
[org.keycloak.services.resources.IdentityBrokerService] (default task-31)
Identity provider [org.keycloak.broker.saml.SAMLIdentityProvider@678796c4]
is going to send a request
[org.jboss.resteasy.specimpl.BuiltResponse@5976b246].
2017-12-04 19:16:08,153 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
JtaTransactionWrapper commit
2017-12-04 19:16:08,153 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
JtaTransactionWrapper end
2017-12-04 19:16:08,347 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-64) new
JtaTransactionWrapper
2017-12-04 19:16:08,348 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-64) was
existing? false
2017-12-04 19:16:08,349 DEBUG [org.keycloak.saml.SAMLRequestParser]
(default task-64) SAML Redirect Binding
2017-12-04 19:16:08,349 DEBUG [org.keycloak.saml.SAMLRequestParser]
(default task-64) <samlp:Response
ID="_ac706804-f304-4153-88e0-07aee06dd4e6" Version="2.0"
IssueInstant="2017-12-04T19:16:08.360Z" Destination="
https://localhost:8061/auth/realms/master/broker/adfs-idp-alias/endpoint&...
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="ID_ad013a22-7c3b-4aa9-a8f9-3fcf6a7cb96b"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
http://adfs/adfs/services/trust</Issuer><samlp:Status><sam...
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"
/></samlp:Status></samlp:Response>
2017-12-04 19:16:08,350 DEBUG
[org.keycloak.services.resources.IdentityBrokerService] (default task-64)
Got authorization code from client [oidc-client].
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.services.resources.IdentityBrokerService] (default task-64)
Authorization code is valid.
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-64)
AUTHENTICATE
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-64)
AUTHENTICATE ONLY
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
processFlow
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
check execution: auth-cookie requirement: ALTERNATIVE
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
execution is processed
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
check execution: auth-spnego requirement: DISABLED
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
execution is processed
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
check execution: identity-provider-redirector requirement: ALTERNATIVE
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
execution is processed
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
check execution: null requirement: ALTERNATIVE
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
execution is flow
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
processFlow
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
check execution: auth-username-password-form requirement: REQUIRED
2017-12-04 19:16:08,351 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
authenticator: auth-username-password-form