2:01 p.m.
(re-sent, forgot to include keycloak-user)
I'm using Keycloak 2.5.0. And I think my ADFS is 2.1.
It appears that I don't have permission to view KEYCLOAK-3932 so I'm not
sure of the proper way to turn on SAML logging. I turned on debug logging
for "org.keycloak.saml" and "org.keycloak.broker.saml" but what I got
in my
log file wasn't very helpful. It looked like most of the info was encrypted
and/or hashed.
However, I think I have a working configuration now. I need to test more to
be sure but it looks promising so far. In my frustration I changed several
things but I think the changes that made a difference were as follows:
1) Self-signed Certificates
The self-signed certificates I'm using in my test environment may have been
getting in my way. Or rather the various machines in my test environment
not trusting the self-signed certificates of the other machines. It is
probably unnecessary but I set all machines in my test environment to trust
the certificates from all other machines. I know client machines will need
to trust the certificates from both my Keycloak machine and my SAML machine
but do the Keycloak and SAML machines need to trust the certificates from
each other?
2) NameID Policy Format
I tried your suggestion of using "Windows Domain Qualified Name" but that
didn't seem to work. I set it to "Unspecified" and that didn't work
either
until...
3) ADFS Relying Party Claim mapping
I added a Claim mapping on the Relying Party for Keycloak to map
"SAM-Account-Name" to "Name ID". This in conjunction with #2 seems to
have
let things start working.
Being an ADFS novice (or SAML novice in general) I'm not clear on why the
above items make everything work. Can you provide any information regarding
why the above items are important? I'm happy when things work but I'm even
happier when I understand why they work.
Thanks again for all of your help.
On Tue, Mar 7, 2017 at 4:26 PM, Glenn Campbell <campbellg(a)teds.com> wrote:
I'm using Keycloak 2.5.0. And I think my ADFS is 2.1.
It appears that I don't have permission to view KEYCLOAK-3932 so I'm not
sure of the proper way to turn on SAML logging. I turned on debug logging
for "org.keycloak.saml" and "org.keycloak.broker.saml" but what I got
in my
log file wasn't very helpful. It looked like most of the info was encrypted
and/or hashed.
However, I think I have a working configuration now. I need to test more
to be sure but it looks promising so far. In my frustration I changed
several things but I think the changes that made a difference were as
follows:
1) Self-signed Certificates
The self-signed certificates I'm using in my test environment may have
been getting in my way. Or rather the various machines in my test
environment not trusting the self-signed certificates of the other
machines. It is probably unnecessary but I set all machines in my test
environment to trust the certificates from all other machines. I know
client machines will need to trust the certificates from both my Keycloak
machine and my SAML machine but do the Keycloak and SAML machines need to
trust the certificates from each other?
2) NameID Policy Format
I tried your suggestion of using "Windows Domain Qualified Name" but that
didn't seem to work. I set it to "Unspecified" and that didn't work
either
until...
3) ADFS Relying Party Claim mapping
I added a Claim mapping on the Relying Party for Keycloak to map
"SAM-Account-Name" to "Name ID". This in conjunction with #2 seems to
have
let things start working.
Being an ADFS novice (or SAML novice in general) I'm not clear on why the
above items make everything work. Can you provide any information regarding
why the above items are important? I'm happy when things work but I'm even
happier when I understand why they work.
Thanks again for all of your help.
Glenn
On Tue, Mar 7, 2017 at 4:58 AM, Hynek Mlnarik <hmlnarik(a)redhat.com> wrote:
> What is your Keycloak and ADFS versions? What are the responses you
> receive from ADFS? Please enable logging of SAML messages to see them (see
> [1] how to do that).
>
> A wild guess: does setting the "NameID Policy Format" [2] to "Windows
> Domain Qualified Name" help?
>
> --Hynek
>
> [1] https://issues.jboss.org/browse/KEYCLOAK-3932?focusedComment
> Id=13336560&page=com.atlassian.jira.plugin.system.issuetabpa
> nels%3Acomment-tabpanel#comment-13336560
> [2] https://keycloak.gitbooks.io/server-adminstration-guide/cont
> ent/topics/identity-broker/saml.html
>
> On 03/03/2017 09:49 PM, Glenn Campbell wrote:
>
>> Thank you for your suggestions. Making those changes seems to have
>> solved that problem. I don't think I would have ever figured that out on my
>> own.
>>
>> Now I'm on to the next problem. When I enter the login credentials on
>> the SAML IdP login page I get an error in Keycloak and the log file has a
>> "Could not process response from SAML identity provider" error message
with
>> a root cause of "No assertion from response".
>>
>> Do you have any suggestions on what I need to do to fix this problem?
>>
>> On Fri, Mar 3, 2017 at 3:34 AM, Hynek Mlnarik <hmlnarik(a)redhat.com
>> <mailto:hmlnarik@redhat.com>> wrote:
>>
>> Actually https matters, ADFS had been rejecting any SAML
>> communication
>> with keycloak for me until https was enabled. Also for ADFS, there is
>> a special settings for KeyInfo element that needs to be set to
>> CERT_SUBJECT in SAML Signature Key Name option of SAML Identity
>> Provider settings [1].
>>
>> [1] https://keycloak.gitbooks.io/documentation/server_admin/topi
>> cs/identity-broker/saml.html <https://keycloak.gitbooks.io/
>> documentation/server_admin/topics/identity-broker/saml.html>
>>
>>
>> On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell <campbellg(a)teds.com
>> <mailto:campbellg@teds.com>> wrote:
>> > What is the correct way to set up identity brokering from Keycloak
>> to ADFS?
>> > I’m new to ADFS so I suspect I’ve configured something incorrectly
>> there.
>> >
>> > Here’s what I’ve done so far:
>> >
>> > 1) Installed ADFS.
>> > 2) Opened ADFS Management.
>> > 3) Walked through the ADFS Configuration Wizard.
>> > At one point in the process it asked which certificate I wanted to
>> use. I
>> > didn’t have one so I went into IIS Manager and created a
>> self-signed
>> > certificate. Then I came back to the ADFS Configuration Wizard and
>> selected
>> > the newly created certificate.
>> > At the end of the process there was a list of configuration items
>> that had
>> > been performed and they all had green checkmarks by them.
>> > Clicked Close.
>> >
>> > 4) At this point ADFS Management said I needed to configure a
>> Trusted
>> > Relying Party so I went to Keycloak to start setting up that side
>> of things.
>> > 5) Since the certificate used by ADFS is self-signed I exported it
>> from IIS
>> > and imported it into the Wildfly jssecerts where Keycloak is
>> running and
>> > restarted Wildfly/Keycloak.
>> > 6) Saved the ADFS FederationMetadata.xml via the url https://<adfs
>> > server>/FederationMetadata/2007-06/FederationMetadata.xml
>> > 7) In Keycloak admin console, on the Identity Providers page I
>> chose “Add
>> > provider… SAML v2.0”
>> > 8) Entered an alias for the new IdP then in “Import from file ->
>> Select
>> > File” I chose the FederationMetadata.xml that I acquired from the
>> ADFS
>> > server.
>> > 9) Saved the IdP configuration.
>> > 10) Went to the Export tab of the newly created IdP and downloaded
>> the xml
>> > config file.
>> >
>> > 11) At this point I went back to ADFS Management and followed the
>> steps to
>> > create a Trusted Relying Party, choosing to import data about the
>> relying
>> > party from the xml file exported from Keycloak.
>> > 12) For the rest of the Relying Party configuration I accepted the
>> defaults.
>> >
>> > When I go to the url for my application I’m redirected to the
>> Keycloak
>> > login screen where I select the Identity Provider I configured. I
>> get a
>> > security certificate warning since the certificate from the server
>> is
>> > self-signed but I choose to continue despite the warning. Then I
>> get an
>> > error page saying there was a problem accessing the site. I don’t
>> get the
>> > ADFS page where I would enter my login credentials.
>> >
>> > I don’t know if it matters but my application and Keycloak
>> currently use
>> > http rather than https.
>> >
>> > Any help would be greatly appreciated.
>> > Thanks in advance,
>> > Glenn
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jb
>> oss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user <
>> https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>> --
>>
>> --Hynek
>>
>>
>>
5:08 p.m.
New subject: problem setting up identity brokering from Keycloak to ADFS
Hi,
On Wed, Mar 8, 2017 at 2:01 PM, Glenn Campbell <campbellg(a)teds.com> wrote:
I'm using Keycloak 2.5.0. And I think my ADFS is 2.1.
It appears that I don't have permission to view KEYCLOAK-3932 so I'm not
sure of the proper way to turn on SAML logging. I turned on debug logging
for "org.keycloak.saml" and "org.keycloak.broker.saml" but what I got
in my
log file wasn't very helpful. It looked like most of the info was encrypted
and/or hashed.
However, I think I have a working configuration now. I need to test more to
be sure but it looks promising so far. In my frustration I changed several
things but I think the changes that made a difference were as follows:
1) Self-signed Certificates
The self-signed certificates I'm using in my test environment may have been
getting in my way. Or rather the various machines in my test environment not
trusting the self-signed certificates of the other machines. It is probably
unnecessary but I set all machines in my test environment to trust the
certificates from all other machines. I know client machines will need to
trust the certificates from both my Keycloak machine and my SAML machine but
do the Keycloak and SAML machines need to trust the certificates from each
other?
Unless configured otherwise (you would know about that), communication
over SSL/TLS checks the certificate of the counterparty. If by SAML
machine you mean ADFS (that needs to communicate with keycloak), then
the answer is yes, at ADFS node, the cert of Keycloak host has to be
trusted and vice versa.
2) NameID Policy Format
I tried your suggestion of using "Windows Domain Qualified Name" but that
didn't seem to work. I set it to "Unspecified" and that didn't work
either
until...
3) ADFS Relying Party Claim mapping
I added a Claim mapping on the Relying Party for Keycloak to map
"SAM-Account-Name" to "Name ID". This in conjunction with #2 seems to
have
let things start working.
Being an ADFS novice (or SAML novice in general) I'm not clear on why the
above items make everything work. Can you provide any information regarding
why the above items are important? I'm happy when things work but I'm even
happier when I understand why they work.
Yes - the ADFS has to be configured to whatever name identifier format
it should support.
I've tried to summarize the setup ADFS + Keycloak with a bit more
detail and references around Name ID format setup in
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
. Even though it applies to ADFS 3.0, most (if not all) should work
with 2.1 too.
--Hynek
Thanks again for all of your help.
On Tue, Mar 7, 2017 at 4:26 PM, Glenn Campbell <campbellg(a)teds.com> wrote:
>
> I'm using Keycloak 2.5.0. And I think my ADFS is 2.1.
>
> It appears that I don't have permission to view KEYCLOAK-3932 so I'm not
> sure of the proper way to turn on SAML logging. I turned on debug logging
> for "org.keycloak.saml" and "org.keycloak.broker.saml" but what I
got in my
> log file wasn't very helpful. It looked like most of the info was encrypted
> and/or hashed.
>
> However, I think I have a working configuration now. I need to test more
> to be sure but it looks promising so far. In my frustration I changed
> several things but I think the changes that made a difference were as
> follows:
>
> 1) Self-signed Certificates
> The self-signed certificates I'm using in my test environment may have
> been getting in my way. Or rather the various machines in my test
> environment not trusting the self-signed certificates of the other machines.
> It is probably unnecessary but I set all machines in my test environment to
> trust the certificates from all other machines. I know client machines will
> need to trust the certificates from both my Keycloak machine and my SAML
> machine but do the Keycloak and SAML machines need to trust the certificates
> from each other?
>
> 2) NameID Policy Format
> I tried your suggestion of using "Windows Domain Qualified Name" but that
> didn't seem to work. I set it to "Unspecified" and that didn't work
either
> until...
>
> 3) ADFS Relying Party Claim mapping
> I added a Claim mapping on the Relying Party for Keycloak to map
> "SAM-Account-Name" to "Name ID". This in conjunction with #2
seems to have
> let things start working.
>
> Being an ADFS novice (or SAML novice in general) I'm not clear on why the
> above items make everything work. Can you provide any information regarding
> why the above items are important? I'm happy when things work but I'm even
> happier when I understand why they work.
>
> Thanks again for all of your help.
> Glenn
>
> On Tue, Mar 7, 2017 at 4:58 AM, Hynek Mlnarik <hmlnarik(a)redhat.com> wrote:
>>
>> What is your Keycloak and ADFS versions? What are the responses you
>> receive from ADFS? Please enable logging of SAML messages to see them (see
>> [1] how to do that).
>>
>> A wild guess: does setting the "NameID Policy Format" [2] to
"Windows
>> Domain Qualified Name" help?
>>
>> --Hynek
>>
>> [1]
>>
https://issues.jboss.org/browse/KEYCLOAK-3932?focusedCommentId=13336560&a...
>> [2]
>>
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/id...
>>
>> On 03/03/2017 09:49 PM, Glenn Campbell wrote:
>>>
>>> Thank you for your suggestions. Making those changes seems to have
>>> solved that problem. I don't think I would have ever figured that out on
my
>>> own.
>>>
>>> Now I'm on to the next problem. When I enter the login credentials on
>>> the SAML IdP login page I get an error in Keycloak and the log file has a
>>> "Could not process response from SAML identity provider" error
message with
>>> a root cause of "No assertion from response".
>>>
>>> Do you have any suggestions on what I need to do to fix this problem?
>>>
>>> On Fri, Mar 3, 2017 at 3:34 AM, Hynek Mlnarik <hmlnarik(a)redhat.com
>>> <mailto:hmlnarik@redhat.com>> wrote:
>>>
>>> Actually https matters, ADFS had been rejecting any SAML
>>> communication
>>> with keycloak for me until https was enabled. Also for ADFS, there
>>> is
>>> a special settings for KeyInfo element that needs to be set to
>>> CERT_SUBJECT in SAML Signature Key Name option of SAML Identity
>>> Provider settings [1].
>>>
>>> [1]
>>>
https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-b...
>>>
<https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-b...
>>>
>>>
>>> On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell <campbellg(a)teds.com
>>> <mailto:campbellg@teds.com>> wrote:
>>> > What is the correct way to set up identity brokering from Keycloak
>>> to ADFS?
>>> > I’m new to ADFS so I suspect I’ve configured something incorrectly
>>> there.
>>> >
>>> > Here’s what I’ve done so far:
>>> >
>>> > 1) Installed ADFS.
>>> > 2) Opened ADFS Management.
>>> > 3) Walked through the ADFS Configuration Wizard.
>>> > At one point in the process it asked which certificate I wanted to
>>> use. I
>>> > didn’t have one so I went into IIS Manager and created a
>>> self-signed
>>> > certificate. Then I came back to the ADFS Configuration Wizard and
>>> selected
>>> > the newly created certificate.
>>> > At the end of the process there was a list of configuration items
>>> that had
>>> > been performed and they all had green checkmarks by them.
>>> > Clicked Close.
>>> >
>>> > 4) At this point ADFS Management said I needed to configure a
>>> Trusted
>>> > Relying Party so I went to Keycloak to start setting up that side
>>> of things.
>>> > 5) Since the certificate used by ADFS is self-signed I exported it
>>> from IIS
>>> > and imported it into the Wildfly jssecerts where Keycloak is
>>> running and
>>> > restarted Wildfly/Keycloak.
>>> > 6) Saved the ADFS FederationMetadata.xml via the url
https://<adfs
>>> > server>/FederationMetadata/2007-06/FederationMetadata.xml
>>> > 7) In Keycloak admin console, on the Identity Providers page I
>>> chose “Add
>>> > provider… SAML v2.0”
>>> > 8) Entered an alias for the new IdP then in “Import from file ->
>>> Select
>>> > File” I chose the FederationMetadata.xml that I acquired from the
>>> ADFS
>>> > server.
>>> > 9) Saved the IdP configuration.
>>> > 10) Went to the Export tab of the newly created IdP and downloaded
>>> the xml
>>> > config file.
>>> >
>>> > 11) At this point I went back to ADFS Management and followed the
>>> steps to
>>> > create a Trusted Relying Party, choosing to import data about the
>>> relying
>>> > party from the xml file exported from Keycloak.
>>> > 12) For the rest of the Relying Party configuration I accepted the
>>> defaults.
>>> >
>>> > When I go to the url for my application I’m redirected to the
>>> Keycloak
>>> > login screen where I select the Identity Provider I configured. I
>>> get a
>>> > security certificate warning since the certificate from the server
>>> is
>>> > self-signed but I choose to continue despite the warning. Then I
>>> get an
>>> > error page saying there was a problem accessing the site. I don’t
>>> get the
>>> > ADFS page where I would enter my login credentials.
>>> >
>>> > I don’t know if it matters but my application and Keycloak
>>> currently use
>>> > http rather than https.
>>> >
>>> > Any help would be greatly appreciated.
>>> > Thanks in advance,
>>> > Glenn
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user(a)lists.jboss.org
>>> <mailto:keycloak-user@lists.jboss.org>
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>>
>>>
>>> --
>>>
>>> --Hynek
>>>
>>>
>
--
--Hynek
2843
days inactive
2858
days old
1 comments
2 participants
participants (2)
-
Glenn Campbell -
Hynek Mlnarik