12:19 p.m.
Hi,
I have a "Uncaught server error:
org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML
identity provider" when get response from MS ADFS server. The route cause of the
error is Caused by: java.io.IOException: Short read of DER length. So I suspect that
Validating X509 Certificates input box doesn't work as expected in Keycloak:
"Certificates must be in PEM format and multiple certificates can be entered by comma
(,) ". I have to use Public key and the certificates of the realm separated by comma
but I get 500 - Internal Server Error from MS ADFS server and the error in Keycloak
(Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester
error. Any idea of how I can proceed?
Details
When I use dummy IDP of Keycloak server, I use
https://myapplicationurl/auth/realms/springboot-quickstart/protocol/saml as SSO url,
"email" as "NameID Policy Format" (Attached file:
dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that
blog http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html and use
the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything
right. Keycloak endpoints, SSL keystore and truststore files are at the right locations
and places.
Regards,
Suleyman
________________________________
This message is for the designated recipient only and may contain privileged, proprietary,
or otherwise confidential information. If you have received it in error, please notify the
sender immediately and delete the original. Any other use of the e-mail by you is
prohibited. Where allowed by local law, electronic communications with Accenture and its
affiliates, including e-mail and instant messaging (including content), may be scanned by
our systems for the purposes of information security and assessment of internal compliance
with Accenture policy. Your privacy is important to us. Accenture uses your personal data
only in compliance with data protection laws. For further information on how Accenture
processes your personal data, please see our privacy statement at
https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________
www.accenture.com
2:20 p.m.
New subject: SSO for two groups of web applications?
Hi,
Is it possible to authenticate users using *one* Keycloak server for
*two* groups of web applications. For example, if a user signs in a web
app in the 1st group, the user can access all the apps in the 1st group
but none in the 2nd group, vice versa. If it's possible, how? Or any
documentation?
Thanks and regards,
Weijun
4:47 p.m.
New subject: SSO for two groups of web applications?
That should be easily accomplished using keycloak realms. The official docs should be good
for that.
Graham
Get Outlook for Android<https://aka.ms/ghei36>
________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
on behalf of Weijun Gao <wgao(a)utsc.utoronto.ca>
Sent: Thursday, August 16, 2018 12:20:22 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] SSO for two groups of web applications?
Hi,
Is it possible to authenticate users using *one* Keycloak server for
*two* groups of web applications. For example, if a user signs in a web
app in the 1st group, the user can access all the apps in the 1st group
but none in the 2nd group, vice versa. If it's possible, how? Or any
documentation?
Thanks and regards,
Weijun
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:47 p.m.
New subject: SSO for two groups of web applications?
Hi Weijun,
And what if the user first signs in a 1st group app, and then in a 2nd group? Should the
user be able to access both groups now?
If so: seems like you want two separate SSO realms for your application groups, but with
the shared user data?
Let's rephrase it; imagine that in your Keycloak:
- there are two different realms, realmA and realmB;
- apps from the 1st groups are configured as clients of realmA;
- the same for the 2nd group and realmB;
- users in both realms are the same;
would that solve your problem?
So it seems like you need some kind of proxy/slave/shadow realm, that
would have its own client definitions, but will proxy to another realm
for user data. I think this is not available OOTB, but could be
implemented as a Keycloak extension using Realm SPI, however
implementation can be really tricky.
Another way to go is to set up ad-hoc partial replication between the realms. This is
neither available OOTB, however implementation should be much simpler (at the price of
data duplication, of course).
Good news is that you're not alone with this; see Tuesday's posting from Gregor
Tudan, the problem statement is almost the same (modulo the kind of data to be replicated,
users vs. clients). I'll reply to that post a bit later, so stay tuned.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info@acutus.pro
On Thu, 2018-08-16 at 15:20 -0400, Weijun Gao wrote:
Hi,
Is it possible to authenticate users using *one* Keycloak server for
*two* groups of web applications. For example, if a user signs in a web
app in the 1st group, the user can access all the apps in the 1st group
but none in the 2nd group, vice versa. If it's possible, how? Or any
documentation?
Thanks and regards,
Weijun
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:55 a.m.
New subject: SSO for two groups of web applications?
Thank you Dmitry and Graham!
Using separate SSO realms is good enough for my need. I'll check more
about your posts and setting replications Dmitry.
Regards,
Weijun
On 8/16/2018 6:47 PM, Dmitry Telegin wrote:
Hi Weijun,
And what if the user first signs in a 1st group app, and then in a 2nd group? Should the
user be able to access both groups now?
If so: seems like you want two separate SSO realms for your application groups, but with
the shared user data?
Let's rephrase it; imagine that in your Keycloak:
- there are two different realms, realmA and realmB;
- apps from the 1st groups are configured as clients of realmA;
- the same for the 2nd group and realmB;
- users in both realms are the same;
would that solve your problem?
So it seems like you need some kind of proxy/slave/shadow realm, that
would have its own client definitions, but will proxy to another realm
for user data. I think this is not available OOTB, but could be
implemented as a Keycloak extension using Realm SPI, however
implementation can be really tricky.
Another way to go is to set up ad-hoc partial replication between the realms. This is
neither available OOTB, however implementation should be much simpler (at the price of
data duplication, of course).
Good news is that you're not alone with this; see Tuesday's posting from Gregor
Tudan, the problem statement is almost the same (modulo the kind of data to be replicated,
users vs. clients). I'll reply to that post a bit later, so stay tuned.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info@acutus.pro
On Thu, 2018-08-16 at 15:20 -0400, Weijun Gao wrote:
> Hi,
>
> Is it possible to authenticate users using *one* Keycloak server for
> *two* groups of web applications. For example, if a user signs in a web
> app in the 1st group, the user can access all the apps in the 1st group
> but none in the 2nd group, vice versa. If it's possible, how? Or any
> documentation?
>
> Thanks and regards,
>
> Weijun
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
6:48 p.m.
Hi Suleyman,
You're right, the contents of the Validating X509 Certificates box is
invalid, your stacktrace tells that unambiguously. The field is pre-
populated once you import FederationMetadata.xml, and you shouldn't
change it afterwards.
To avoid recreating the whole IdP, open your FederationMetadata.xml,
find the <ds:X509Certificate> element and copy its value to the box
verbatim.
Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote:
Hi,
I have a "Uncaught server error:
org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML
identity provider" when get response from MS ADFS server. The route cause of the
error is Caused by: java.io.IOException: Short read of DER length. So I suspect that
Validating X509 Certificates input box doesn't work as expected in Keycloak:
"Certificates must be in PEM format and multiple certificates can be entered by comma
(,) ". I have to use Public key and the certificates of the realm separated by comma
but I get 500 - Internal Server Error from MS ADFS server and the error in Keycloak
(Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester
error. Any idea of how I can proceed?
Details
When I use dummy IDP of Keycloak server, I use
https://myapplicationurl/auth/realms/springboot-quickstart/protocol/saml as SSO url,
"email" as "NameID Policy Format" (Attached file:
dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that
blog http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html and use
the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything
right. Keycloak endpoints, SSL keystore and truststore files are at the right locations
and places.
Regards,
Suleyman
________________________________
This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise confidential information. If you have received it in error,
please notify the sender immediately and delete the original. Any other use of the e-mail
by you is prohibited. Where allowed by local law, electronic communications with Accenture
and its affiliates, including e-mail and instant messaging (including content), may be
scanned by our systems for the purposes of information security and assessment of internal
compliance with Accenture policy. Your privacy is important to us. Accenture uses your
personal data only in compliance with data protection laws. For further information on how
Accenture processes your personal data, please see our privacy statement at
https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________
www.accenture.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:57 a.m.
New subject: [External] Re: IDP SAML Processing Error
Thanks a lot Dmitry,
It works! When I use my application link, I can successfully get SAML response from MS
ADFS and redirected to application back. Use case is as below.
However, my client wanted to test directly on their MS ADFS using their url
(https://client_adfs_link/adfs/ls/idpinitiatedsignon.aspx). I think it is IDP initiated
SSO. He wrote his credentials on login page of MS ADFS clicked sign in. I am redirected to
Keycloak IDP
https://myapplication/auth/realms/springboot-quickstart/broker/myIDPAlias... and get
the Internal Server Error again but with different error (attached file). I wonder if I
need to change any Keycloak settings to enable that.
Use case:
1. The user visits the http://myapplication:8443 application.
2. https-client(open_id) finds the user is not authenticated and generates an XML
authentication request document. It is redirected to the Keycloak Identity Provider, of
which Single Sign-On Service URL is configured as https://client_adfs/adfs/ls/
3. The ADFS server extracts the XML auth request document and verifies the signature.
Then, user is redirected to the SAML client in Keycloak server.
4. The user enters the credentials to be authenticated.
5. After authentication, the Identity Provider generates an XML authentication response
document, which contains a SAML assertion that holds metadata about the user like name and
email. User is redirected to the http://myapplication:8443 application.
Regards,
Suleyman
-----Original Message-----
From: Dmitry Telegin <dt(a)acutus.pro>
Sent: 17 August 2018 00:49
To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
keycloak-user(a)lists.jboss.org
Subject: [External] Re: [keycloak-user] IDP SAML Processing Error
Hi Suleyman,
You're right, the contents of the Validating X509 Certificates box is invalid, your
stacktrace tells that unambiguously. The field is pre- populated once you import
FederationMetadata.xml, and you shouldn't change it afterwards.
To avoid recreating the whole IdP, open your FederationMetadata.xml, find the
<ds:X509Certificate> element and copy its value to the box verbatim.
Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote:
Hi,
I have a "Uncaught server error:
org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML
identity provider" when get response from MS ADFS server. The route cause of the
error is Caused by: java.io.IOException: Short read of DER length. So I suspect that
Validating X509 Certificates input box doesn't work as expected in Keycloak:
"Certificates must be in PEM format and multiple certificates can be entered by comma
(,) ". I have to use Public key and the certificates of the realm separated by comma
but I get 500 - Internal Server Error from MS ADFS server and the error in Keycloak
(Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester
error. Any idea of how I can proceed?
Details
When I use dummy IDP of Keycloak server, I use
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_aut...
as SSO url, "email" as "NameID Policy Format" (Attached file:
dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that
blog
https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_201...
and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did
everything right. Keycloak endpoints, SSL keystore and truststore files are at the right
locations and places.
Regards,
Suleyman
________________________________
This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise confidential information. If you have received it in error,
please notify the sender immediately and delete the original. Any other use of the e-mail
by you is prohibited. Where allowed by local law, electronic communications with Accenture
and its affiliates, including e-mail and instant messaging (including content), may be
scanned by our systems for the purposes of information security and assessment of internal
compliance with Accenture policy. Your privacy is important to us. Accenture uses your
personal data only in compliance with data protection laws. For further information on how
Accenture processes your personal data, please see our privacy statement at
https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________
________________
www.accenture.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8n
OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNn
CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG69Wocm
nmEIzqruzVr9Gg&e=
9:24 a.m.
New subject: [External] Re: IDP SAML Processing Error
Hi Suleyman, you're welcome :)
Glad your SP-initiated SSO finally worked.
As for IdP-initiated SSO, this is also a well-known situation.
In a few words, it will work out of the box *only* if you Keycloak client
(target application) is also using SAML.
You mentioned some "https-client(open_id)", does that mean that the application
is secured by Keycloak OpenID Connect adapter? (Don't despair, there is a workaround
nevertheless.)
Dmitry
On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote:
Thanks a lot Dmitry,
It works! When I use my application link, I can successfully get SAML response from MS
ADFS and redirected to application back. Use case is as below.
> However, my client wanted to test directly on their MS ADFS using their url
(https://client_adfs_link/adfs/ls/idpinitiatedsignon.aspx). I think it is IDP initiated
SSO. He wrote his credentials on login page of MS ADFS clicked sign in. I am redirected to
Keycloak IDP
https://myapplication/auth/realms/springboot-quickstart/broker/myIDPAlias... and get
the Internal Server Error again* but with different error (attached file). I wonder if I
need to change any Keycloak settings to enable that.
Use case:
> > 1. The user visits the http://myapplication:8443 application.
> 2. https-client(open_id) finds the user is not authenticated and generates an XML
authentication request document. It is redirected to the Keycloak Identity Provider, of
which Single Sign-On Service URL is configured as https://client_adfs/adfs/ls/
> 3. The ADFS server extracts the XML auth request document and verifies the
signature. Then, user is redirected to the SAML client in Keycloak server.
> 4. The user enters the credentials to be authenticated.
> > 5. After authentication, the Identity Provider generates an XML authentication
response document, which contains a SAML assertion that holds metadata about the user like
name and email. User is redirected to the http://myapplication:8443 application.
Regards,
Suleyman
-----Original Message-----
> From: Dmitry Telegin <dt(a)acutus.pro>
Sent: 17 August 2018 00:49
> To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
keycloak-user(a)lists.jboss.org
Subject: [External] Re: [keycloak-user] IDP SAML Processing Error
Hi Suleyman,
You're right, the contents of the Validating X509 Certificates box is invalid, your
stacktrace tells that unambiguously. The field is pre- populated once you import
FederationMetadata.xml, and you shouldn't change it afterwards.
To avoid recreating the whole IdP, open your FederationMetadata.xml, find the
<ds:X509Certificate> element and copy its value to the box verbatim.
Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote:
> Hi,
>
> I have a "Uncaught server error:
org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML
identity provider" when get response from MS ADFS server. The route cause of the
error is Caused by: java.io.IOException: Short read of DER length. So I suspect that
Validating X509 Certificates input box doesn't work as expected in Keycloak:
"Certificates must be in PEM format and multiple certificates can be entered by comma
(,) ". I have to use Public key and the certificates of the realm separated by comma
but I get 500 - Internal Server Error from MS ADFS server and the error in Keycloak
(Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester
error. Any idea of how I can proceed?
>
> Details
>
> When I use dummy IDP of Keycloak server, I use
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_aut...
as SSO url, "email" as "NameID Policy Format" (Attached file:
dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that
blog
https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_201...
and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did
everything right. Keycloak endpoints, SSL keystore and truststore files are at the right
locations and places.
>
> Regards,
> Suleyman
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise confidential information. If you have received it in error,
please notify the sender immediately and delete the original. Any other use of the e-mail
by you is prohibited. Where allowed by local law, electronic communications with Accenture
and its affiliates, including e-mail and instant messaging (including content), may be
scanned by our systems for the purposes of information security and assessment of internal
compliance with Accenture policy. Your privacy is important to us. Accenture uses your
personal data only in compliance with data protection laws. For further information on how
Accenture processes your personal data, please see our privacy statement at
https://www.accenture.com/us-en/privacy-policy.
> ______________________________________________________________________
> ________________
>
> www.accenture.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
> ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8n
> OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNn
> CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG69Wocm
> nmEIzqruzVr9Gg&e=
9:44 a.m.
New subject: [External] Re: IDP SAML Processing Error
Hi Dmitry,
I have been struggling for many days for that😊 I have two clients and a IDP broker in
Keycloak.
https-client: Yes, this is the client that secured the application. Redirect urls point to
our application (http://myapplication:8443 application).It is "resource" :
"https-client" in Keycloak.json in AngularJS.
saml client: sends SAML request via IDP broker
IDP broker: deals with MS ADFS requests/responses
Regards,
Suleyman
-----Original Message-----
From: Dmitry Telegin <dt(a)acutus.pro>
Sent: 17 August 2018 15:24
To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
keycloak-user(a)lists.jboss.org
Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error
Hi Suleyman, you're welcome :)
Glad your SP-initiated SSO finally worked.
As for IdP-initiated SSO, this is also a well-known situation.
In a few words, it will work out of the box *only* if you Keycloak client
(target application) is also using SAML.
You mentioned some "https-client(open_id)", does that mean that the application
is secured by Keycloak OpenID Connect adapter? (Don't despair, there is a workaround
nevertheless.)
Dmitry
On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote:
Thanks a lot Dmitry,
It works! When I use my application link, I can successfully get SAML
response from MS ADFS and redirected to application back. Use case is as below.
> However, my client wanted to test directly on their MS ADFS using
> their url
(https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs-5Flink...).
I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked
sign in. I am redirected to Keycloak IDP
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplication_auth_r...
and get the Internal Server Error again* but with different error (attached file). I
wonder if I need to change any Keycloak settings to enable that.
Use case:
> > 1. The user visits the
https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application.
> 2. https-client(open_id) finds the user is not authenticated and generates an XML
authentication request document. It is redirected to the Keycloak Identity Provider, of
which Single Sign-On Service URL is configured as
https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs_adfs_l...
> 3. The ADFS server extracts the XML auth request document and verifies the
signature. Then, user is redirected to the SAML client in Keycloak server.
> 4. The user enters the credentials to be authenticated.
> > 5. After authentication, the Identity Provider generates an XML authentication
response document, which contains a SAML assertion that holds metadata about the user like
name and email. User is redirected to the
https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application.
Regards,
Suleyman
-----Original Message-----
> From: Dmitry Telegin <dt(a)acutus.pro>
Sent: 17 August 2018 00:49
> To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
> keycloak-user(a)lists.jboss.org
Subject: [External] Re: [keycloak-user] IDP SAML Processing Error
Hi Suleyman,
You're right, the contents of the Validating X509 Certificates box is invalid, your
stacktrace tells that unambiguously. The field is pre- populated once you import
FederationMetadata.xml, and you shouldn't change it afterwards.
To avoid recreating the whole IdP, open your FederationMetadata.xml, find the
<ds:X509Certificate> element and copy its value to the box verbatim.
Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote:
> Hi,
>
> I have a "Uncaught server error:
org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML
identity provider" when get response from MS ADFS server. The route cause of the
error is Caused by: java.io.IOException: Short read of DER length. So I suspect that
Validating X509 Certificates input box doesn't work as expected in Keycloak:
"Certificates must be in PEM format and multiple certificates can be entered by comma
(,) ". I have to use Public key and the certificates of the realm separated by comma
but I get 500 - Internal Server Error from MS ADFS server and the error in Keycloak
(Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester
error. Any idea of how I can proceed?
>
> Details
>
> When I use dummy IDP of Keycloak server, I use
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_aut...
as SSO url, "email" as "NameID Policy Format" (Attached file:
dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that
blog
https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_201...
and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did
everything right. Keycloak endpoints, SSL keystore and truststore files are at the right
locations and places.
>
> Regards,
> Suleyman
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise confidential information. If you have received it in error,
please notify the sender immediately and delete the original. Any other use of the e-mail
by you is prohibited. Where allowed by local law, electronic communications with Accenture
and its affiliates, including e-mail and instant messaging (including content), may be
scanned by our systems for the purposes of information security and assessment of internal
compliance with Accenture policy. Your privacy is important to us. Accenture uses your
personal data only in compliance with data protection laws. For further information on how
Accenture processes your personal data, please see our privacy statement at
https://www.accenture.com/us-en/privacy-policy.
> ____________________________________________________________________
> __
> ________________
>
> www.accenture.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org
> _m
> ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU
> 8n
> OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8f
> Nn
> CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG69Wo
> cm
> nmEIzqruzVr9Gg&e=
10:40 a.m.
New subject: [External] Re: IDP SAML Processing Error
Suleyman, thanks for the clarifications,
So in your Keycloak you've got two clients: one OIDC and one SAML, and a SAML IdP
(ADFS).
Do you want IdP-initiated SSO from ADFS to both clients? or is it only OIDC one
(https-client)?
Dmitry
On Fri, 2018-08-17 at 14:44 +0000, Yildirim, Suleyman wrote:
Hi Dmitry,
I have been struggling for many days for that😊 I have two clients and a IDP broker in
Keycloak.
> https-client: Yes, this is the client that secured the application. Redirect urls
point to our application (http://myapplication:8443 application).It is
"resource" : "https-client" in Keycloak.json in AngularJS.
saml client: sends SAML request via IDP broker
IDP broker: deals with MS ADFS requests/responses
Regards,
Suleyman
-----Original Message-----
> From: Dmitry Telegin <dt(a)acutus.pro>
Sent: 17 August 2018 15:24
> To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
keycloak-user(a)lists.jboss.org
Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error
Hi Suleyman, you're welcome :)
Glad your SP-initiated SSO finally worked.
As for IdP-initiated SSO, this is also a well-known situation.
In a few words, it will work out of the box *only* if you Keycloak client
(target application) is also using SAML.
You mentioned some "https-client(open_id)", does that mean that the application
is secured by Keycloak OpenID Connect adapter? (Don't despair, there is a workaround
nevertheless.)
Dmitry
On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote:
> Thanks a lot Dmitry,
>
> It works! When I use my application link, I can successfully get SAML
> response from MS ADFS and redirected to application back. Use case is as below.
>
> > However, my client wanted to test directly on their MS ADFS using
> > their url
(https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs-5Flink...).
I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked
sign in. I am redirected to Keycloak IDP
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplication_auth_r...
and get the Internal Server Error again* but with different error (attached file). I
wonder if I need to change any Keycloak settings to enable that.
>
> Use case:
> > > 1. The user visits the
https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application.
> >
> > > > > 2. https-client(open_id) finds the user is not authenticated and
generates an XML authentication request document. It is redirected to the Keycloak
Identity Provider, of which Single Sign-On Service URL is configured as
https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs_adfs_l...
> > > > > 3. The ADFS server extracts the XML auth request document and
verifies the signature. Then, user is redirected to the SAML client in Keycloak server.
> > > > > 4. The user enters the credentials to be authenticated.
> > > 5. After authentication, the Identity Provider generates an XML
authentication response document, which contains a SAML assertion that holds metadata
about the user like name and email. User is redirected to the
https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application.
>
> Regards,
> Suleyman
>
> -----Original Message-----
> > From: Dmitry Telegin <dt(a)acutus.pro>
>
> Sent: 17 August 2018 00:49
> > > > > To: Yildirim, Suleyman
<suleyman.yildirim(a)accenture.com>;
> > keycloak-user(a)lists.jboss.org
>
> Subject: [External] Re: [keycloak-user] IDP SAML Processing Error
>
> Hi Suleyman,
>
> You're right, the contents of the Validating X509 Certificates box is invalid,
your stacktrace tells that unambiguously. The field is pre- populated once you import
FederationMetadata.xml, and you shouldn't change it afterwards.
>
> To avoid recreating the whole IdP, open your FederationMetadata.xml, find the
<ds:X509Certificate> element and copy its value to the box verbatim.
>
> Good luck!
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info(a)acutus.pro
>
> On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote:
> > Hi,
> >
> > I have a "Uncaught server error:
org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML
identity provider" when get response from MS ADFS server. The route cause of the
error is Caused by: java.io.IOException: Short read of DER length. So I suspect that
Validating X509 Certificates input box doesn't work as expected in Keycloak:
"Certificates must be in PEM format and multiple certificates can be entered by comma
(,) ". I have to use Public key and the certificates of the realm separated by comma
but I get 500 - Internal Server Error from MS ADFS server and the error in Keycloak
(Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester
error. Any idea of how I can proceed?
> >
> > Details
> >
> > When I use dummy IDP of Keycloak server, I use
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_aut...
as SSO url, "email" as "NameID Policy Format" (Attached file:
dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that
blog
https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_201...
and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did
everything right. Keycloak endpoints, SSL keystore and truststore files are at the right
locations and places.
> >
> > Regards,
> > Suleyman
> >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise confidential information. If you have received it in error,
please notify the sender immediately and delete the original. Any other use of the e-mail
by you is prohibited. Where allowed by local law, electronic communications with Accenture
and its affiliates, including e-mail and instant messaging (including content), may be
scanned by our systems for the purposes of information security and assessment of internal
compliance with Accenture policy. Your privacy is important to us. Accenture uses your
personal data only in compliance with data protection laws. For further information on how
Accenture processes your personal data, please see our privacy statement at
https://www.accenture.com/us-en/privacy-policy.
> > ____________________________________________________________________
> > __
> > ________________
> >
> > www.accenture.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org
> > _m
> > ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU
> > 8n
> > OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8f
> > Nn
> > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG69Wo
> > cm
> > nmEIzqruzVr9Gg&e=
11:14 a.m.
New subject: [External] Re: IDP SAML Processing Error
Hi Dmitry,
Thanks for asking details. It is only OIDC one (https-client). When we hit
https://adfslink/adfs/ls/idpinitiatedsignon.aspx, the end goal is to be redirected to our
application, which is OIDC. I am not sure about the flow between MS ADFS and OIDC
(https-client) though.
MS ADFS --> Which Keycloak entities (clients, IDP broker) are involve here(?) -->
OIDC (https-client)
Regards,
Suleyman
-----Original Message-----
From: Dmitry Telegin <dt(a)acutus.pro>
Sent: 17 August 2018 16:41
To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
keycloak-user(a)lists.jboss.org
Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error
Suleyman, thanks for the clarifications,
So in your Keycloak you've got two clients: one OIDC and one SAML, and a SAML IdP
(ADFS).
Do you want IdP-initiated SSO from ADFS to both clients? or is it only OIDC one
(https-client)?
Dmitry
On Fri, 2018-08-17 at 14:44 +0000, Yildirim, Suleyman wrote:
Hi Dmitry,
I have been struggling for many days for that😊 I have two clients and
a IDP broker in Keycloak.
> https-client: Yes, this is the client that secured the application.
> Redirect urls point to our application
(https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application).It is "resource" : "https-client" in Keycloak.json in
AngularJS.
saml client: sends SAML request via IDP broker IDP broker: deals with
MS ADFS requests/responses
Regards,
Suleyman
-----Original Message-----
> From: Dmitry Telegin <dt(a)acutus.pro>
Sent: 17 August 2018 15:24
> To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
> keycloak-user(a)lists.jboss.org
Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error
Hi Suleyman, you're welcome :)
Glad your SP-initiated SSO finally worked.
As for IdP-initiated SSO, this is also a well-known situation.
In a few words, it will work out of the box *only* if you Keycloak client
(target application) is also using SAML.
You mentioned some "https-client(open_id)", does that mean that the
application is secured by Keycloak OpenID Connect adapter? (Don't
despair, there is a workaround nevertheless.)
Dmitry
On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote:
> Thanks a lot Dmitry,
>
> It works! When I use my application link, I can successfully get
> SAML response from MS ADFS and redirected to application back. Use case is as
below.
>
> > However, my client wanted to test directly on their MS ADFS using
> > their url
(https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs-5Flink...).
I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked
sign in. I am redirected to Keycloak IDP
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplication_auth_r...
and get the Internal Server Error again* but with different error (attached file). I
wonder if I need to change any Keycloak settings to enable that.
>
> Use case:
> > > 1. The user visits the
https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application.
> >
> > > > > 2. https-client(open_id) finds the user is not authenticated and
generates an XML authentication request document. It is redirected to the Keycloak
Identity Provider, of which Single Sign-On Service URL is configured as
https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs_adfs_l...
> > > > > 3. The ADFS server extracts the XML auth request document and
verifies the signature. Then, user is redirected to the SAML client in Keycloak server.
> > > > > 4. The user enters the credentials to be authenticated.
> > > 5. After authentication, the Identity Provider generates an XML
authentication response document, which contains a SAML assertion that holds metadata
about the user like name and email. User is redirected to the
https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application.
>
> Regards,
> Suleyman
>
> -----Original Message-----
> > From: Dmitry Telegin <dt(a)acutus.pro>
>
> Sent: 17 August 2018 00:49
> > > > > To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
> > keycloak-user(a)lists.jboss.org
>
> Subject: [External] Re: [keycloak-user] IDP SAML Processing Error
>
> Hi Suleyman,
>
> You're right, the contents of the Validating X509 Certificates box is invalid,
your stacktrace tells that unambiguously. The field is pre- populated once you import
FederationMetadata.xml, and you shouldn't change it afterwards.
>
> To avoid recreating the whole IdP, open your FederationMetadata.xml, find the
<ds:X509Certificate> element and copy its value to the box verbatim.
>
> Good luck!
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info(a)acutus.pro
>
> On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote:
> > Hi,
> >
> > I have a "Uncaught server error:
org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML
identity provider" when get response from MS ADFS server. The route cause of the
error is Caused by: java.io.IOException: Short read of DER length. So I suspect that
Validating X509 Certificates input box doesn't work as expected in Keycloak:
"Certificates must be in PEM format and multiple certificates can be entered by comma
(,) ". I have to use Public key and the certificates of the realm separated by comma
but I get 500 - Internal Server Error from MS ADFS server and the error in Keycloak
(Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester
error. Any idea of how I can proceed?
> >
> > Details
> >
> > When I use dummy IDP of Keycloak server, I use
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_aut...
as SSO url, "email" as "NameID Policy Format" (Attached file:
dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that
blog
https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_201...
and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did
everything right. Keycloak endpoints, SSL keystore and truststore files are at the right
locations and places.
> >
> > Regards,
> > Suleyman
> >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise confidential information. If you have received it in error,
please notify the sender immediately and delete the original. Any other use of the e-mail
by you is prohibited. Where allowed by local law, electronic communications with Accenture
and its affiliates, including e-mail and instant messaging (including content), may be
scanned by our systems for the purposes of information security and assessment of internal
compliance with Accenture policy. Your privacy is important to us. Accenture uses your
personal data only in compliance with data protection laws. For further information on how
Accenture processes your personal data, please see our privacy statement at
https://www.accenture.com/us-en/privacy-policy.
> > __________________________________________________________________
> > __
> > __
> > ________________
> >
> > www.accenture.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.o
> > rg
> > _m
> > ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJ
> > vU
> > 8n
> > OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-
> > 8f
> > Nn
> > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG69
> > Wo
> > cm
> > nmEIzqruzVr9Gg&e=
4:50 p.m.
New subject: [External] Re: IDP SAML Processing Error
On Fri, 2018-08-17 at 16:14 +0000, Yildirim, Suleyman wrote:
Hi Dmitry,
> Thanks for asking details. It is only OIDC one (https-client). When we hit
https://adfslink/adfs/ls/idpinitiatedsignon.aspx, the end goal is to be redirected to our
application, which is OIDC. I am not sure about the flow between MS ADFS and OIDC
(https-client) though.
MS ADFS --> Which Keycloak entities (clients, IDP broker) are involve here(?) -->
OIDC (https-client)
You've depicted it correctly. The problem is, it currently works only if both legs are
SAML:
IdP (SAML) ---> Keycloak (broker) ---> SAML Client
IdP (SAML) ---> Keycloak (broker) -x-> OIDC Client
This is partially because in the OpenID Connect spec there is no equivalent for "IdP
initiated login". However, you can use the following trick to emulate it:
1) the user signs into AD FS;
2) the user clicks the special link pointing to your Keycloak that signs him/her into your
OIDC application transparently.
Is that doable, WDYT? I mean to make the user click an auxiliary link after ADFS login?
In fact, it's not the first time I hear about this particular requirement
(IdP-initiated login from SAML IdP through Keycloak to OIDC client). Maybe it's right
time to suggest a feature idea to the devs. Stay tuned, I'll post it to keycloak-dev
soon.
Cheers,
Dmitry
Regards,
Suleyman
-----Original Message-----
> From: Dmitry Telegin <dt(a)acutus.pro>
Sent: 17 August 2018 16:41
> To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
keycloak-user(a)lists.jboss.org
Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error
Suleyman, thanks for the clarifications,
So in your Keycloak you've got two clients: one OIDC and one SAML, and a SAML IdP
(ADFS).
Do you want IdP-initiated SSO from ADFS to both clients? or is it only OIDC one
(https-client)?
Dmitry
On Fri, 2018-08-17 at 14:44 +0000, Yildirim, Suleyman wrote:
> Hi Dmitry,
>
> I have been struggling for many days for that😊 I have two clients and
> a IDP broker in Keycloak.
>
> > https-client: Yes, this is the client that secured the application.
> > Redirect urls point to our application
(https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application).It is "resource" : "https-client" in Keycloak.json in
AngularJS.
>
> saml client: sends SAML request via IDP broker IDP broker: deals with
> MS ADFS requests/responses
>
> Regards,
> Suleyman
>
> -----Original Message-----
> > From: Dmitry Telegin <dt(a)acutus.pro>
>
> Sent: 17 August 2018 15:24
> > > > > To: Yildirim, Suleyman
<suleyman.yildirim(a)accenture.com>;
> > keycloak-user(a)lists.jboss.org
>
> Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error
>
> Hi Suleyman, you're welcome :)
>
> Glad your SP-initiated SSO finally worked.
>
> As for IdP-initiated SSO, this is also a well-known situation.
>
> In a few words, it will work out of the box *only* if you Keycloak client
(target application) is also using SAML.
>
> You mentioned some "https-client(open_id)", does that mean that the
> application is secured by Keycloak OpenID Connect adapter? (Don't
> despair, there is a workaround nevertheless.)
>
> Dmitry
>
> On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote:
> > Thanks a lot Dmitry,
> >
> > It works! When I use my application link, I can successfully get
> > SAML response from MS ADFS and redirected to application back. Use case is as
below.
> >
> > > However, my client wanted to test directly on their MS ADFS using
> > > their url
(https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs-5Flink...).
I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked
sign in. I am redirected to Keycloak IDP
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplication_auth_r...
and get the Internal Server Error again* but with different error (attached file). I
wonder if I need to change any Keycloak settings to enable that.
> >
> > Use case:
> > > > > > > > > 1. The user visits the
https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application.
> > > > > > > > > > > > > 2. https-client(open_id)
finds the user is not authenticated and generates an XML authentication request document.
It is redirected to the Keycloak Identity Provider, of which Single Sign-On Service URL is
configured as
https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs_adfs_l...
> > > > > > > > > > > > > 3. The ADFS server
extracts the XML auth request document and verifies the signature. Then, user is
redirected to the SAML client in Keycloak server.
> > > > > > 4. The user enters the credentials to be authenticated.
> > > >
> > > > 5. After authentication, the Identity Provider generates an XML
authentication response document, which contains a SAML assertion that holds metadata
about the user like name and email. User is redirected to the
https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application.
> >
> > Regards,
> > Suleyman
> >
> > -----Original Message-----
> > > From: Dmitry Telegin <dt(a)acutus.pro>
> >
> > Sent: 17 August 2018 00:49
> > > > > > To: Yildirim, Suleyman
<suleyman.yildirim(a)accenture.com>;
> > >
> > > keycloak-user(a)lists.jboss.org
> >
> > Subject: [External] Re: [keycloak-user] IDP SAML Processing Error
> >
> > Hi Suleyman,
> >
> > You're right, the contents of the Validating X509 Certificates box is
invalid, your stacktrace tells that unambiguously. The field is pre- populated once you
import FederationMetadata.xml, and you shouldn't change it afterwards.
> >
> > To avoid recreating the whole IdP, open your FederationMetadata.xml, find the
<ds:X509Certificate> element and copy its value to the box verbatim.
> >
> > Good luck!
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info(a)acutus.pro
> >
> > On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote:
> > > Hi,
> > >
> > > I have a "Uncaught server error:
org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML
identity provider" when get response from MS ADFS server. The route cause of the
error is Caused by: java.io.IOException: Short read of DER length. So I suspect that
Validating X509 Certificates input box doesn't work as expected in Keycloak:
"Certificates must be in PEM format and multiple certificates can be entered by comma
(,) ". I have to use Public key and the certificates of the realm separated by comma
but I get 500 - Internal Server Error from MS ADFS server and the error in Keycloak
(Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester
error. Any idea of how I can proceed?
> > >
> > > Details
> > >
> > > When I use dummy IDP of Keycloak server, I use
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_aut...
as SSO url, "email" as "NameID Policy Format" (Attached file:
dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that
blog
https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_201...
and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did
everything right. Keycloak endpoints, SSL keystore and truststore files are at the right
locations and places.
> > >
> > > Regards,
> > > Suleyman
> > >
> > >
> > > ________________________________
> > >
> > > This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise confidential information. If you have received it in
error, please notify the sender immediately and delete the original. Any other use of the
e-mail by you is prohibited. Where allowed by local law, electronic communications with
Accenture and its affiliates, including e-mail and instant messaging (including content),
may be scanned by our systems for the purposes of information security and assessment of
internal compliance with Accenture policy. Your privacy is important to us. Accenture uses
your personal data only in compliance with data protection laws. For further information
on how Accenture processes your personal data, please see our privacy statement at
https://www.accenture.com/us-en/privacy-policy.
> > > __________________________________________________________________
> > > __
> > > __
> > > ________________
> > >
> > > www.accenture.com
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.o
> > > rg
> > > _m
> > >
ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJ
> > > vU
> > > 8n
> > >
OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-
> > > 8f
> > > Nn
> > > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG69
> > > Wo
> > > cm
> > > nmEIzqruzVr9Gg&e=
2:53 a.m.
New subject: [External] Re: IDP SAML Processing Error
I'm also interested on this.
We also want to make IDP initiated login (SAML) work on our application (OIDC). I've
been thinking about trying out exactly the same setup as you describe. But if keycloak
would support this out-of-the-box, that would be great!
Tom
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Dmitry Telegin
Sent: Friday, August 17, 2018 11:50 PM
To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] [External] Re: IDP SAML Processing Error
** WARNING: This mail is from an external source **
On Fri, 2018-08-17 at 16:14 +0000, Yildirim, Suleyman wrote:
Hi Dmitry,
> Thanks for asking details. It is only OIDC one (https-client). When we hit
https://adfslink/adfs/ls/idpinitiatedsignon.aspx, the end goal is to be redirected to our
application, which is OIDC. I am not sure about the flow between MS ADFS and OIDC
(https-client) though.
MS ADFS --> Which Keycloak entities (clients, IDP broker) are involve
here(?) --> OIDC (https-client)
You've depicted it correctly. The problem is, it currently works only if both legs are
SAML:
IdP (SAML) ---> Keycloak (broker) ---> SAML Client IdP (SAML) ---> Keycloak
(broker) -x-> OIDC Client
This is partially because in the OpenID Connect spec there is no equivalent for "IdP
initiated login". However, you can use the following trick to emulate it:
1) the user signs into AD FS;
2) the user clicks the special link pointing to your Keycloak that signs him/her into your
OIDC application transparently.
Is that doable, WDYT? I mean to make the user click an auxiliary link after ADFS login?
In fact, it's not the first time I hear about this particular requirement
(IdP-initiated login from SAML IdP through Keycloak to OIDC client). Maybe it's right
time to suggest a feature idea to the devs. Stay tuned, I'll post it to keycloak-dev
soon.
Cheers,
Dmitry
Regards,
Suleyman
-----Original Message-----
> From: Dmitry Telegin <dt(a)acutus.pro>
Sent: 17 August 2018 16:41
> To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
> keycloak-user(a)lists.jboss.org
Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error
Suleyman, thanks for the clarifications,
So in your Keycloak you've got two clients: one OIDC and one SAML, and a SAML IdP
(ADFS).
Do you want IdP-initiated SSO from ADFS to both clients? or is it only OIDC one
(https-client)?
Dmitry
On Fri, 2018-08-17 at 14:44 +0000, Yildirim, Suleyman wrote:
> Hi Dmitry,
>
> I have been struggling for many days for that😊 I have two clients
> and a IDP broker in Keycloak.
>
> > https-client: Yes, this is the client that secured the application.
> > Redirect urls point to our application
(https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application).It is "resource" : "https-client" in Keycloak.json in
AngularJS.
>
> saml client: sends SAML request via IDP broker IDP broker: deals
> with MS ADFS requests/responses
>
> Regards,
> Suleyman
>
> -----Original Message-----
> > From: Dmitry Telegin <dt(a)acutus.pro>
>
> Sent: 17 August 2018 15:24
> > > > > To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
> > keycloak-user(a)lists.jboss.org
>
> Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing
> Error
>
> Hi Suleyman, you're welcome :)
>
> Glad your SP-initiated SSO finally worked.
>
> As for IdP-initiated SSO, this is also a well-known situation.
>
> In a few words, it will work out of the box *only* if you Keycloak client (target
application) is also using SAML.
>
> You mentioned some "https-client(open_id)", does that mean that the
> application is secured by Keycloak OpenID Connect adapter? (Don't
> despair, there is a workaround nevertheless.)
>
> Dmitry
>
> On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote:
> > Thanks a lot Dmitry,
> >
> > It works! When I use my application link, I can successfully get
> > SAML response from MS ADFS and redirected to application back. Use case is as
below.
> >
> > > However, my client wanted to test directly on their MS ADFS
> > > using their url
(https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs-5Flink...).
I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked
sign in. I am redirected to Keycloak IDP
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplication_auth_r...
and get the Internal Server Error again* but with different error (attached file). I
wonder if I need to change any Keycloak settings to enable that.
> >
> > Use case:
> > > > > > > > > 1. The user visits the
https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application.
> > > > > > > > > > > > > 2.
https-client(open_id) finds the user is
> > > > > > > > > > > > > not authenticated and
generates an XML
> > > > > > > > > > > > > authentication request
document. It is
> > > > > > > > > > > > > redirected to the
Keycloak Identity
> > > > > > > > > > > > > Provider, of which
Single Sign-On Service
> > > > > > > > > > > > > URL is configured as
> > > > > > > > > > > > >
https://urldefense.proofpoint.com/v2/url?u=h
> > > > > > > > > > > > >
ttps-3A__client-5Fadfs_adfs_ls_&d=DwIFaQ&c=e
> > > > > > > > > > > > >
IGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r
> > > > > > > > > > > > >
=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g
> > > > > > > > > > > > >
&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaev
> > > > > > > > > > > > >
NE&s=wv1iQEWJPlOTFlKSLpfzb6XhnImsHO-7wUi2SCV
> > > > > > > > > > > > > ZDWQ&e= 3. The ADFS
server extracts the XML
> > > > > > > > > > > > > auth request document
and verifies the signature. Then, user is redirected to the SAML client in Keycloak
server.
> > > > > > 4. The user enters the credentials to be
authenticated.
> > > >
> > > > 5. After authentication, the Identity Provider generates an XML
authentication response document, which contains a SAML assertion that holds metadata
about the user like name and email. User is redirected to the
https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application.
> >
> > Regards,
> > Suleyman
> >
> > -----Original Message-----
> > > From: Dmitry Telegin <dt(a)acutus.pro>
> >
> > Sent: 17 August 2018 00:49
> > > > > > To: Yildirim, Suleyman
<suleyman.yildirim(a)accenture.com>;
> > >
> > > keycloak-user(a)lists.jboss.org
> >
> > Subject: [External] Re: [keycloak-user] IDP SAML Processing Error
> >
> > Hi Suleyman,
> >
> > You're right, the contents of the Validating X509 Certificates box is
invalid, your stacktrace tells that unambiguously. The field is pre- populated once you
import FederationMetadata.xml, and you shouldn't change it afterwards.
> >
> > To avoid recreating the whole IdP, open your FederationMetadata.xml, find the
<ds:X509Certificate> element and copy its value to the box verbatim.
> >
> > Good luck!
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info(a)acutus.pro
> >
> > On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote:
> > > Hi,
> > >
> > > I have a "Uncaught server error:
org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML
identity provider" when get response from MS ADFS server. The route cause of the
error is Caused by: java.io.IOException: Short read of DER length. So I suspect that
Validating X509 Certificates input box doesn't work as expected in Keycloak:
"Certificates must be in PEM format and multiple certificates can be entered by comma
(,) ". I have to use Public key and the certificates of the realm separated by comma
but I get 500 - Internal Server Error from MS ADFS server and the error in Keycloak
(Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester
error. Any idea of how I can proceed?
> > >
> > > Details
> > >
> > > When I use dummy IDP of Keycloak server, I use
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_aut...
as SSO url, "email" as "NameID Policy Format" (Attached file:
dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that
blog
https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_201...
and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did
everything right. Keycloak endpoints, SSL keystore and truststore files are at the right
locations and places.
> > >
> > > Regards,
> > > Suleyman
> > >
> > >
> > > ________________________________
> > >
> > > This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise confidential information. If you have received it in
error, please notify the sender immediately and delete the original. Any other use of the
e-mail by you is prohibited. Where allowed by local law, electronic communications with
Accenture and its affiliates, including e-mail and instant messaging (including content),
may be scanned by our systems for the purposes of information security and assessment of
internal compliance with Accenture policy. Your privacy is important to us. Accenture uses
your personal data only in compliance with data protection laws. For further information
on how Accenture processes your personal data, please see our privacy statement at
https://www.accenture.com/us-en/privacy-policy.
> > > ________________________________________________________________
> > > __
> > > __
> > > __
> > > ________________
> > >
> > > www.accenture.com
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss
> > > .o
> > > rg
> > > _m
> > > ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEH
> > > XJ
> > > vU
> > > 8n
> > > OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m
> > > =-
> > > 8f
> > > Nn
> > > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG
> > > 69
> > > Wo
> > > cm
> > > nmEIzqruzVr9Gg&e=
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:29 a.m.
New subject: [External] Re: IDP SAML Processing Error
Hi Dmitry,
I am not sure if it can be done. I realized that flow is as below. ADFS first redirects to
idp broker in Keycloak and I get internal server error (attached). Does it sounds like
Keycloak issue or we need to change some settings in MS ADFS? I am tring different
configurations for this right now
https://www.keycloak.org/docs/2.5/server_admin/topics/clients/saml/idp-in....
Flow:
MS ADFS server https://weblink/adfs/ls/idpinitiatedsignon ---> Keycloak (broker)
https://testinsight.wmp.accentureanalytics.com/auth/realms/springboot-qui...
---> ??? --> OIDC Client (https://testinsight.wmp.accentureanalytics.com:8443)
Regards,
Suleyman
-----Original Message-----
From: Dmitry Telegin <dt(a)acutus.pro>
Sent: 17 August 2018 22:50
To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
keycloak-user(a)lists.jboss.org
Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error
On Fri, 2018-08-17 at 16:14 +0000, Yildirim, Suleyman wrote:
Hi Dmitry,
> Thanks for asking details. It is only OIDC one (https-client). When
> we hit
https://urldefense.proofpoint.com/v2/url?u=https-3A__adfslink_adfs_ls_idp...,
the end goal is to be redirected to our application, which is OIDC. I am not sure about
the flow between MS ADFS and OIDC (https-client) though.
MS ADFS --> Which Keycloak entities (clients, IDP broker) are involve
here(?) --> OIDC (https-client)
You've depicted it correctly. The problem is, it currently works only if both legs are
SAML:
IdP (SAML) ---> Keycloak (broker) ---> SAML Client IdP (SAML) ---> Keycloak
(broker) -x-> OIDC Client
This is partially because in the OpenID Connect spec there is no equivalent for "IdP
initiated login". However, you can use the following trick to emulate it:
1) the user signs into AD FS;
2) the user clicks the special link pointing to your Keycloak that signs him/her into your
OIDC application transparently.
Is that doable, WDYT? I mean to make the user click an auxiliary link after ADFS login?
In fact, it's not the first time I hear about this particular requirement
(IdP-initiated login from SAML IdP through Keycloak to OIDC client). Maybe it's right
time to suggest a feature idea to the devs. Stay tuned, I'll post it to keycloak-dev
soon.
Cheers,
Dmitry
Regards,
Suleyman
-----Original Message-----
> From: Dmitry Telegin <dt(a)acutus.pro>
Sent: 17 August 2018 16:41
> To: Yildirim, Suleyman <suleyman.yildirim(a)accenture.com>;
> keycloak-user(a)lists.jboss.org
Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error
Suleyman, thanks for the clarifications,
So in your Keycloak you've got two clients: one OIDC and one SAML, and a SAML IdP
(ADFS).
Do you want IdP-initiated SSO from ADFS to both clients? or is it only OIDC one
(https-client)?
Dmitry
On Fri, 2018-08-17 at 14:44 +0000, Yildirim, Suleyman wrote:
> Hi Dmitry,
>
> I have been struggling for many days for that😊 I have two clients
> and a IDP broker in Keycloak.
>
> > https-client: Yes, this is the client that secured the
> > application. Redirect urls point to our application
(https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application).It is "resource" : "https-client" in Keycloak.json in
AngularJS.
>
> saml client: sends SAML request via IDP broker IDP broker: deals
> with MS ADFS requests/responses
>
> Regards,
> Suleyman
>
> -----Original Message-----
> > From: Dmitry Telegin <dt(a)acutus.pro>
>
> Sent: 17 August 2018 15:24
> > > > > To: Yildirim, Suleyman
<suleyman.yildirim(a)accenture.com>;
> > keycloak-user(a)lists.jboss.org
>
> Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing
> Error
>
> Hi Suleyman, you're welcome :)
>
> Glad your SP-initiated SSO finally worked.
>
> As for IdP-initiated SSO, this is also a well-known situation.
>
> In a few words, it will work out of the box *only* if you Keycloak client
(target application) is also using SAML.
>
> You mentioned some "https-client(open_id)", does that mean that the
> application is secured by Keycloak OpenID Connect adapter? (Don't
> despair, there is a workaround nevertheless.)
>
> Dmitry
>
> On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote:
> > Thanks a lot Dmitry,
> >
> > It works! When I use my application link, I can successfully get
> > SAML response from MS ADFS and redirected to application back. Use case is as
below.
> >
> > > However, my client wanted to test directly on their MS ADFS
> > > using their url
(https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs-5Flink...).
I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked
sign in. I am redirected to Keycloak IDP
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplication_auth_r...
and get the Internal Server Error again* but with different error (attached file). I
wonder if I need to change any Keycloak settings to enable that.
> >
> > Use case:
> > > > > > > > > 1. The user visits the
https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application.
> > > > > > > > > > > > > 2. https-client(open_id)
finds the user is not authenticated and generates an XML authentication request document.
It is redirected to the Keycloak Identity Provider, of which Single Sign-On Service URL is
configured as
https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs_adfs_l...
> > > > > > > > > > > > > 3. The ADFS server
extracts the XML auth request document and verifies the signature. Then, user is
redirected to the SAML client in Keycloak server.
> > > > > > 4. The user enters the credentials to be authenticated.
> > > >
> > > > 5. After authentication, the Identity Provider generates an XML
authentication response document, which contains a SAML assertion that holds metadata
about the user like name and email. User is redirected to the
https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&...
application.
> >
> > Regards,
> > Suleyman
> >
> > -----Original Message-----
> > > From: Dmitry Telegin <dt(a)acutus.pro>
> >
> > Sent: 17 August 2018 00:49
> > > > > > To: Yildirim, Suleyman
<suleyman.yildirim(a)accenture.com>;
> > >
> > > keycloak-user(a)lists.jboss.org
> >
> > Subject: [External] Re: [keycloak-user] IDP SAML Processing Error
> >
> > Hi Suleyman,
> >
> > You're right, the contents of the Validating X509 Certificates box is
invalid, your stacktrace tells that unambiguously. The field is pre- populated once you
import FederationMetadata.xml, and you shouldn't change it afterwards.
> >
> > To avoid recreating the whole IdP, open your FederationMetadata.xml, find the
<ds:X509Certificate> element and copy its value to the box verbatim.
> >
> > Good luck!
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info(a)acutus.pro
> >
> > On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote:
> > > Hi,
> > >
> > > I have a "Uncaught server error:
org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML
identity provider" when get response from MS ADFS server. The route cause of the
error is Caused by: java.io.IOException: Short read of DER length. So I suspect that
Validating X509 Certificates input box doesn't work as expected in Keycloak:
"Certificates must be in PEM format and multiple certificates can be entered by comma
(,) ". I have to use Public key and the certificates of the realm separated by comma
but I get 500 - Internal Server Error from MS ADFS server and the error in Keycloak
(Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester
error. Any idea of how I can proceed?
> > >
> > > Details
> > >
> > > When I use dummy IDP of Keycloak server, I use
https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_aut...
as SSO url, "email" as "NameID Policy Format" (Attached file:
dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that
blog
https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_201...
and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did
everything right. Keycloak endpoints, SSL keystore and truststore files are at the right
locations and places.
> > >
> > > Regards,
> > > Suleyman
> > >
> > >
> > > ________________________________
> > >
> > > This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise confidential information. If you have received it in
error, please notify the sender immediately and delete the original. Any other use of the
e-mail by you is prohibited. Where allowed by local law, electronic communications with
Accenture and its affiliates, including e-mail and instant messaging (including content),
may be scanned by our systems for the purposes of information security and assessment of
internal compliance with Accenture policy. Your privacy is important to us. Accenture uses
your personal data only in compliance with data protection laws. For further information
on how Accenture processes your personal data, please see our privacy statement at
https://www.accenture.com/us-en/privacy-policy.
> > > ________________________________________________________________
> > > __
> > > __
> > > __
> > > ________________
> > >
> > > www.accenture.com
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss
> > > .o
> > > rg
> > > _m
> > > ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEH
> > > XJ
> > > vU
> > > 8n
> > > OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m
> > > =-
> > > 8f
> > > Nn
> > > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG
> > > 69
> > > Wo
> > > cm
> > > nmEIzqruzVr9Gg&e=
2334
days inactive
2338
days old
13 comments
5 participants
participants (5)
-
Billiet Tom -
Dmitry Telegin -
Graham Burgess -
Weijun Gao -
Yildirim, Suleyman