12:01 a.m.
Good day,
I'm trying to get Keycloak Java adapter (on SP side) working with Microsoft
ADFS (on IdP side).
As I understood, ADFS expects to receive <KeyInfo> element in <Signature> of
SAMLRequest in specific format:
"Importantly, then the SAML Signature Key Name field that shows after
enabling the Want AuthnRequests Signed option has to be set to CERT_SUBJECT
as AD FS expects the signing key name hint to be the subject of the signing
certificate."
blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
But the Java adapter sends <KeyInfo> in another format – the <KeyValue>
format:
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>gLOdl9d0CGelhcIkOa…s4Hj4N6xEjQG/bQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
So I have two questions:
a. Is it really a problem? Has anyone used the Java adapter successfully to
authenticate against ADFS?
b. If it is, is there a way to instruct the adapter to send <KeyInfo> in
some another format?
Thanks,
Mucius.
11:11 a.m.
No, this should not be a problem. Adapters do not set the value of
KeyName element (which is controlled by the SAML Signature Key Name
field). If KeyName is unset, ADFS should be able to determine the
correct certificate for signature validation itself by iterating all
available certificates.
--Hynek
On Thu, Apr 27, 2017 at 12:01 AM, Cat Mucius <cat(a)mucius.tk> wrote:
Good day,
I'm trying to get Keycloak Java adapter (on SP side) working with Microsoft
ADFS (on IdP side).
As I understood, ADFS expects to receive <KeyInfo> element in <Signature> of
SAMLRequest in specific format:
"Importantly, then the SAML Signature Key Name field that shows after
enabling the Want AuthnRequests Signed option has to be set to CERT_SUBJECT
as AD FS expects the signing key name hint to be the subject of the signing
certificate."
blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
But the Java adapter sends <KeyInfo> in another format – the <KeyValue>
format:
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>gLOdl9d0CGelhcIkOa…s4Hj4N6xEjQG/bQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
So I have two questions:
a. Is it really a problem? Has anyone used the Java adapter successfully to
authenticate against ADFS?
b. If it is, is there a way to instruct the adapter to send <KeyInfo> in
some another format?
Thanks,
Mucius.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
2809
days inactive
2810
days old
1 comments
2 participants
participants (2)
-
Cat Mucius -
Hynek Mlnarik