Re: [keycloak-user] problem setting up identity brokering from Keycloak to ADFS

Thank you for your suggestions. Making those changes seems to have solved that problem. I don't think I would have ever figured that out on my own. Now I'm on to the next problem. When I enter the login credentials on the SAML IdP login page I get an error in Keycloak and the log file has a "Could not process response from SAML identity provider" error message with a root cause of "No assertion from response". Do you have any suggestions on what I need to do to fix this problem? On Fri, Mar 3, 2017 at 3:34 AM, Hynek Mlnarik <hmlnarik(a)redhat.com <mailto:hmlnarik@redhat.com>> wrote: Actually https matters, ADFS had been rejecting any SAML communication with keycloak for me until https was enabled. Also for ADFS, there is a special settings for KeyInfo element that needs to be set to CERT_SUBJECT in SAML Signature Key Name option of SAML Identity Provider settings [1]. [1] https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-b... <https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-b... On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell <campbellg(a)teds.com <mailto:campbellg@teds.com>> wrote: > What is the correct way to set up identity brokering from Keycloak to ADFS? > I’m new to ADFS so I suspect I’ve configured something incorrectly there. > > Here’s what I’ve done so far: > > 1) Installed ADFS. > 2) Opened ADFS Management. > 3) Walked through the ADFS Configuration Wizard. > At one point in the process it asked which certificate I wanted to use. I > didn’t have one so I went into IIS Manager and created a self-signed > certificate. Then I came back to the ADFS Configuration Wizard and selected > the newly created certificate. > At the end of the process there was a list of configuration items that had > been performed and they all had green checkmarks by them. > Clicked Close. > > 4) At this point ADFS Management said I needed to configure a Trusted > Relying Party so I went to Keycloak to start setting up that side of things. > 5) Since the certificate used by ADFS is self-signed I exported it from IIS > and imported it into the Wildfly jssecerts where Keycloak is running and > restarted Wildfly/Keycloak. > 6) Saved the ADFS FederationMetadata.xml via the url https://<adfs > server>/FederationMetadata/2007-06/FederationMetadata.xml > 7) In Keycloak admin console, on the Identity Providers page I chose “Add > provider… SAML v2.0” > 8) Entered an alias for the new IdP then in “Import from file -> Select > File” I chose the FederationMetadata.xml that I acquired from the ADFS > server. > 9) Saved the IdP configuration. > 10) Went to the Export tab of the newly created IdP and downloaded the xml > config file. > > 11) At this point I went back to ADFS Management and followed the steps to > create a Trusted Relying Party, choosing to import data about the relying > party from the xml file exported from Keycloak. > 12) For the rest of the Relying Party configuration I accepted the defaults. > > When I go to the url for my application I’m redirected to the Keycloak > login screen where I select the Identity Provider I configured. I get a > security certificate warning since the certificate from the server is > self-signed but I choose to continue despite the warning. Then I get an > error page saying there was a problem accessing the site. I don’t get the > ADFS page where I would enter my login credentials. > > I don’t know if it matters but my application and Keycloak currently use > http rather than https. > > Any help would be greatly appreciated. > Thanks in advance, > Glenn > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> -- --Hynek