Thanks, that's interesting. I've updated the blog post with your finding.
--Hynek
On Wed, Mar 29, 2017 at 2:55 PM, Dmitry Korchemkin <moon3854(a)gmail.com> wrote:
Ok, so i double checked this behaviour and i'm indeed providing
correct link
to the ADFS (directly from browser with xml opened). What's interesting, is
that while this error appears in Keycloak, ADFS seems to be importing
everything just fine, so it doesn't look like it's affecting anything.
It looks like ADFS is first checking whether the user provided a link to
another ADFS (but maybe omitted the /federationmetadata/* part) and when it
fails to find anything there it uses the link as provided. I can back this
claim with a little observation - when given a fake url, it generates two
errors within Keycloak instead of just one for the correct url:
1) Exception handling request to
/auth/realms/saml-broker-authentication-realm/broker/adfs-localll/endpoint/descriptor/FederationMetadata/2007-06/FederationMetadata.xml:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.broker.provider.IdentityBrokerException: Identity Provider
[adfs-localll] not found.
2) Exception handling request to
/auth/realms/saml-broker-authentication-realm/broker/adfs-localll/endpoint/descriptor:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.broker.provider.IdentityBrokerException: Identity Provider
[adfs-localll] not found.
As you can see, first it fails to import xml from "ADFS-style" path, then it
fails to get xml from the link i actually gave it. Not sure why Microsoft
added this bit of behaviour, but it seems mostly harmless so far.
2017-03-28 22:01 GMT+03:00 Hynek Mlnarik <hmlnarik(a)redhat.com>:
>
> It is the other way round - as RESTEASY003210 was found in keycloak's
> log, something (maybe ADFS) attempted to access the nonexistent URL in
> Keycloak.
>
> I don't know about W2016 as I don't have it anywhere so I cannot check
> whether import does not try ADFS-like descriptor url (that part after
> .../descriptor/) automatically. AFAIK, W2012 does not do that, at
> least I've not been able to reproduce this behaviour. I'm no ADFS
> expert though.
>
> Did you enter exactly
>
>
"https://10.0.2.2:8443/auth/realms/saml-broker-authentication-realm/broker/saml/endpoint/descriptor"
> for the import URL in relying trust party setup? Can you please double
> check? If the same issue happens again, I'll update the blog with a
> new "common issue".
>
> Thanks,
>
> --Hynek
>
>
> On Tue, Mar 28, 2017 at 4:44 PM, Marc Boorshtein
> <marc.boorshtein(a)tremolosecurity.com> wrote:
> >> 15:06:57,850 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
> >> task-3) RESTEASY002010: Failed to execute:
> >> javax.ws.rs.NotFoundException:
> >> RESTEASY003210: Could not find resource for full path:
> >>
> >>
https://10.0.2.2:8443/auth/realms/saml-broker-authentication-realm/broker...
> >>
> >
> > looks like keycloak is trying to load adfs' metadata so use
> >
> >
https://adfs.server.com/FederationMetadata/2007-06/FederationMetadata.xml
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek