I managed to make it work after using the realm certificate in AD FS (instead of my SSL
certificate), installing Java Cryptography Extension, and setting up a truststore in my
web app.
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Robert van Loenhout
Sent: 28 July 2016 13:56
To: Marc Boorshtein <marc.boorshtein(a)tremolosecurity.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] AD FS - No assertion from response
I have changed the NameID Policy Format in Keycloak from ‘Persistent’ to ‘Unspecified’
that was initially set after importing the FederationMetadata.xml.
I don’t see any error anymore in the AD FS log.
However I now get a decryption error in the keycloak server log
Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Unwrapping failed
Original Exception was java.security.InvalidKeyException: Unwrapping failed
at
org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1532)
at
org.keycloak.saml.processing.core.util.XMLEncryptionUtil.decryptElementInDocument(XMLEncryptionUtil.java:472)
... 55 more
Caused by: java.security.InvalidKeyException: Unwrapping failed
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:445)
at javax.crypto.Cipher.unwrap(Cipher.java:2550)
at
org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1530)
... 56 more
Caused by: javax.crypto.BadPaddingException: Decryption error
at sun.security.rsa.RSAPadding.unpadOAEP(RSAPadding.java:499)
at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:293)
at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:363)
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:440)
... 58 more
From: Marc Boorshtein [mailto:marc.boorshtein@tremolosecurity.com]
Sent: 28 July 2016 12:32
To: Robert van Loenhout
<r.vanloenhout@greenvalley.nl<mailto:r.vanloenhout@greenvalley.nl>>
Cc: keycloak-user
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] AD FS - No assertion from response
What does your authnrequest look like? ADFS is really fickle about format. Common issues
with the authnrequest are:
1. Nameidformat
2. Authncontextclassref
3. Sha1 signature
#1 is the biggest issue I see. You need to write a claims rule in adfs to make sure it
maps properly or just remove the nameidformat from the authnrequest.
Marc Boorshtein
CTO, Tremolo Security, Inc.
On Jul 28, 2016 6:22 AM, "Robert van Loenhout"
<r.vanloenhout@greenvalley.nl<mailto:r.vanloenhout@greenvalley.nl>> wrote:
Hi,
I’m trying to use Keycloak 2.0.0.Final with AD FS 2.0 as an identity provider. I think
I’ve set up everything, but I am getting an internal error from keycloak.
The server log contains
2016-07-28 11:08:32,510 ERROR [io.undertow.request] (default task-37) UT005023: Exception
handling request to /auth/realms/adfs-realm/broker/adfs/endpoint:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML
identity provider.
The root cause is “No assertion from response”
So far the only information about this I have found so far is a keycloak issue ticket
https://issues.jboss.org/browse/KEYCLOAK-3103
Has anyone got any luck using AD FS in combination with keycloak?
Is there any configuration I could change in AD FS or Keycloak or workaround this
problem?
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user