I have changed the NameID Policy Format in Keycloak from ‘Persistent’ to ‘Unspecified’ that was initially set after importing the FederationMetadata.xml.

I don’t see any error anymore in the AD FS log.


However I now get a decryption error in the keycloak server log


Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Unwrapping failed

Original Exception was java.security.InvalidKeyException: Unwrapping failed

               at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1532)

               at org.keycloak.saml.processing.core.util.XMLEncryptionUtil.decryptElementInDocument(XMLEncryptionUtil.java:472)

               ... 55 more

Caused by: java.security.InvalidKeyException: Unwrapping failed

               at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:445)

               at javax.crypto.Cipher.unwrap(Cipher.java:2550)

               at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1530)

               ... 56 more

Caused by: javax.crypto.BadPaddingException: Decryption error

               at sun.security.rsa.RSAPadding.unpadOAEP(RSAPadding.java:499)

               at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:293)

               at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:363)

               at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:440)

               ... 58 more



From: Marc Boorshtein [mailto:marc.boorshtein@tremolosecurity.com]
Sent: 28 July 2016 12:32
To: Robert van Loenhout <r.vanloenhout@greenvalley.nl>
Cc: keycloak-user <keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] AD FS - No assertion from response


What does your authnrequest look like?  ADFS is really fickle about format. Common issues with the authnrequest are:
1. Nameidformat
2. Authncontextclassref
3. Sha1 signature

#1 is the biggest issue I see. You need to write a claims rule in adfs to make sure it maps properly or just remove the nameidformat from the authnrequest.

Marc Boorshtein
CTO, Tremolo Security, Inc.


On Jul 28, 2016 6:22 AM, "Robert van Loenhout" <r.vanloenhout@greenvalley.nl> wrote:



I’m trying to use Keycloak 2.0.0.Final with AD FS 2.0 as an identity provider. I think I’ve set up everything, but I am getting an internal error from keycloak.

The server log contains

2016-07-28 11:08:32,510 ERROR [io.undertow.request] (default task-37) UT005023: Exception handling request to /auth/realms/adfs-realm/broker/adfs/endpoint: org.jboss.resteasy.spi.UnhandledException: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider.

The root cause is “No assertion from response”


So far the only information about this I have found so far is a keycloak issue ticket



Has anyone got any luck using AD FS in combination with keycloak?

Is there any configuration I could change in AD FS or Keycloak or workaround this problem?


keycloak-user mailing list