Actually https matters, ADFS had been rejecting any SAML communication
with keycloak for me until https was enabled. Also for ADFS, there is
a special settings for KeyInfo element that needs to be set to
CERT_SUBJECT in SAML Signature Key Name option of SAML Identity
Provider settings [1].
[1]
https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-b...
On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell <campbellg(a)teds.com> wrote:
What is the correct way to set up identity brokering from Keycloak to
ADFS?
I’m new to ADFS so I suspect I’ve configured something incorrectly there.
Here’s what I’ve done so far:
1) Installed ADFS.
2) Opened ADFS Management.
3) Walked through the ADFS Configuration Wizard.
At one point in the process it asked which certificate I wanted to use. I
didn’t have one so I went into IIS Manager and created a self-signed
certificate. Then I came back to the ADFS Configuration Wizard and selected
the newly created certificate.
At the end of the process there was a list of configuration items that had
been performed and they all had green checkmarks by them.
Clicked Close.
4) At this point ADFS Management said I needed to configure a Trusted
Relying Party so I went to Keycloak to start setting up that side of things.
5) Since the certificate used by ADFS is self-signed I exported it from IIS
and imported it into the Wildfly jssecerts where Keycloak is running and
restarted Wildfly/Keycloak.
6) Saved the ADFS FederationMetadata.xml via the url https://<adfs
server>/FederationMetadata/2007-06/FederationMetadata.xml
7) In Keycloak admin console, on the Identity Providers page I chose “Add
provider… SAML v2.0”
8) Entered an alias for the new IdP then in “Import from file -> Select
File” I chose the FederationMetadata.xml that I acquired from the ADFS
server.
9) Saved the IdP configuration.
10) Went to the Export tab of the newly created IdP and downloaded the xml
config file.
11) At this point I went back to ADFS Management and followed the steps to
create a Trusted Relying Party, choosing to import data about the relying
party from the xml file exported from Keycloak.
12) For the rest of the Relying Party configuration I accepted the defaults.
When I go to the url for my application I’m redirected to the Keycloak
login screen where I select the Identity Provider I configured. I get a
security certificate warning since the certificate from the server is
self-signed but I choose to continue despite the warning. Then I get an
error page saying there was a problem accessing the site. I don’t get the
ADFS page where I would enter my login credentials.
I don’t know if it matters but my application and Keycloak currently use
http rather than https.
Any help would be greatly appreciated.
Thanks in advance,
Glenn
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek