[keycloak-user] AD FS - No assertion from response
Marc Boorshtein
marc.boorshtein at tremolosecurity.com
Thu Jul 28 06:31:39 EDT 2016
What does your authnrequest look like? ADFS is really fickle about format.
Common issues with the authnrequest are:
1. Nameidformat
2. Authncontextclassref
3. Sha1 signature
#1 is the biggest issue I see. You need to write a claims rule in adfs to
make sure it maps properly or just remove the nameidformat from the
authnrequest.
Marc Boorshtein
CTO, Tremolo Security, Inc.
On Jul 28, 2016 6:22 AM, "Robert van Loenhout" <r.vanloenhout at greenvalley.nl>
wrote:
Hi,
I’m trying to use Keycloak 2.0.0.Final with AD FS 2.0 as an identity
provider. I think I’ve set up everything, but I am getting an internal
error from keycloak.
The server log contains
2016-07-28 11:08:32,510 ERROR [io.undertow.request] (default task-37)
UT005023: Exception handling request to
/auth/realms/adfs-realm/broker/adfs/endpoint:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.broker.provider.IdentityBrokerException: Could not process
response from SAML identity provider.
The root cause is “No assertion from response”
So far the only information about this I have found so far is a keycloak
issue ticket
https://issues.jboss.org/browse/KEYCLOAK-3103
Has anyone got any luck using AD FS in combination with keycloak?
Is there any configuration I could change in AD FS or Keycloak or
workaround this problem?
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160728/3aa61198/attachment.html
More information about the keycloak-user
mailing list