What does your authnrequest look like?  ADFS is really fickle about format. Common issues with the authnrequest are:
1. Nameidformat
2. Authncontextclassref
3. Sha1 signature

#1 is the biggest issue I see. You need to write a claims rule in adfs to make sure it maps properly or just remove the nameidformat from the authnrequest.

Marc Boorshtein
CTO, Tremolo Security, Inc.

On Jul 28, 2016 6:22 AM, "Robert van Loenhout" <r.vanloenhout@greenvalley.nl> wrote:



I’m trying to use Keycloak 2.0.0.Final with AD FS 2.0 as an identity provider. I think I’ve set up everything, but I am getting an internal error from keycloak.

The server log contains

2016-07-28 11:08:32,510 ERROR [io.undertow.request] (default task-37) UT005023: Exception handling request to /auth/realms/adfs-realm/broker/adfs/endpoint: org.jboss.resteasy.spi.UnhandledException: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider.

The root cause is “No assertion from response”


So far the only information about this I have found so far is a keycloak issue ticket



Has anyone got any luck using AD FS in combination with keycloak?

Is there any configuration I could change in AD FS or Keycloak or workaround this problem?


keycloak-user mailing list