I managed to make it work after using the realm certificate in AD FS (instead of my SSL certificate), installing Java Cryptography Extension, and setting up a truststore in my web app.

 

 

From: keycloak-user-bounces@lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Robert van Loenhout
Sent: 28 July 2016 13:56
To: Marc Boorshtein <marc.boorshtein@tremolosecurity.com>
Cc: keycloak-user <keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] AD FS - No assertion from response

 

I have changed the NameID Policy Format in Keycloak from ‘Persistent’ to ‘Unspecified’ that was initially set after importing the FederationMetadata.xml.

I don’t see any error anymore in the AD FS log.

 

However I now get a decryption error in the keycloak server log

 

Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Unwrapping failed

Original Exception was java.security.InvalidKeyException: Unwrapping failed

               at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1532)

               at org.keycloak.saml.processing.core.util.XMLEncryptionUtil.decryptElementInDocument(XMLEncryptionUtil.java:472)

               ... 55 more

Caused by: java.security.InvalidKeyException: Unwrapping failed

               at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:445)

               at javax.crypto.Cipher.unwrap(Cipher.java:2550)

               at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1530)

               ... 56 more

Caused by: javax.crypto.BadPaddingException: Decryption error

               at sun.security.rsa.RSAPadding.unpadOAEP(RSAPadding.java:499)

               at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:293)

               at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:363)

               at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:440)

               ... 58 more

 

 

From: Marc Boorshtein [mailto:marc.boorshtein@tremolosecurity.com]
Sent: 28 July 2016 12:32
To: Robert van Loenhout <r.vanloenhout@greenvalley.nl>
Cc: keycloak-user <keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] AD FS - No assertion from response

 

What does your authnrequest look like?  ADFS is really fickle about format. Common issues with the authnrequest are:
1. Nameidformat
2. Authncontextclassref
3. Sha1 signature

#1 is the biggest issue I see. You need to write a claims rule in adfs to make sure it maps properly or just remove the nameidformat from the authnrequest.

Marc Boorshtein
CTO, Tremolo Security, Inc.

 

On Jul 28, 2016 6:22 AM, "Robert van Loenhout" <r.vanloenhout@greenvalley.nl> wrote:

Hi,

 

I’m trying to use Keycloak 2.0.0.Final with AD FS 2.0 as an identity provider. I think I’ve set up everything, but I am getting an internal error from keycloak.

The server log contains

2016-07-28 11:08:32,510 ERROR [io.undertow.request] (default task-37) UT005023: Exception handling request to /auth/realms/adfs-realm/broker/adfs/endpoint: org.jboss.resteasy.spi.UnhandledException: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider.

The root cause is “No assertion from response”

 

So far the only information about this I have found so far is a keycloak issue ticket

https://issues.jboss.org/browse/KEYCLOAK-3103

 

Has anyone got any luck using AD FS in combination with keycloak?

Is there any configuration I could change in AD FS or Keycloak or workaround this problem?

 


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user