[keycloak-user] AD FS - No assertion from response
Robert van Loenhout
r.vanloenhout at greenvalley.nl
Thu Jul 28 11:09:23 EDT 2016
I managed to make it work after using the realm certificate in AD FS (instead of my SSL certificate), installing Java Cryptography Extension, and setting up a truststore in my web app.
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Robert van Loenhout
Sent: 28 July 2016 13:56
To: Marc Boorshtein <marc.boorshtein at tremolosecurity.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] AD FS - No assertion from response
I have changed the NameID Policy Format in Keycloak from ‘Persistent’ to ‘Unspecified’ that was initially set after importing the FederationMetadata.xml.
I don’t see any error anymore in the AD FS log.
However I now get a decryption error in the keycloak server log
Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Unwrapping failed
Original Exception was java.security.InvalidKeyException: Unwrapping failed
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1532)
at org.keycloak.saml.processing.core.util.XMLEncryptionUtil.decryptElementInDocument(XMLEncryptionUtil.java:472)
... 55 more
Caused by: java.security.InvalidKeyException: Unwrapping failed
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:445)
at javax.crypto.Cipher.unwrap(Cipher.java:2550)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1530)
... 56 more
Caused by: javax.crypto.BadPaddingException: Decryption error
at sun.security.rsa.RSAPadding.unpadOAEP(RSAPadding.java:499)
at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:293)
at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:363)
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:440)
... 58 more
From: Marc Boorshtein [mailto:marc.boorshtein at tremolosecurity.com]
Sent: 28 July 2016 12:32
To: Robert van Loenhout <r.vanloenhout at greenvalley.nl<mailto:r.vanloenhout at greenvalley.nl>>
Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] AD FS - No assertion from response
What does your authnrequest look like? ADFS is really fickle about format. Common issues with the authnrequest are:
1. Nameidformat
2. Authncontextclassref
3. Sha1 signature
#1 is the biggest issue I see. You need to write a claims rule in adfs to make sure it maps properly or just remove the nameidformat from the authnrequest.
Marc Boorshtein
CTO, Tremolo Security, Inc.
On Jul 28, 2016 6:22 AM, "Robert van Loenhout" <r.vanloenhout at greenvalley.nl<mailto:r.vanloenhout at greenvalley.nl>> wrote:
Hi,
I’m trying to use Keycloak 2.0.0.Final with AD FS 2.0 as an identity provider. I think I’ve set up everything, but I am getting an internal error from keycloak.
The server log contains
2016-07-28 11:08:32,510 ERROR [io.undertow.request] (default task-37) UT005023: Exception handling request to /auth/realms/adfs-realm/broker/adfs/endpoint: org.jboss.resteasy.spi.UnhandledException: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider.
The root cause is “No assertion from response”
So far the only information about this I have found so far is a keycloak issue ticket
https://issues.jboss.org/browse/KEYCLOAK-3103
Has anyone got any luck using AD FS in combination with keycloak?
Is there any configuration I could change in AD FS or Keycloak or workaround this problem?
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160728/f1a2e1e3/attachment-0001.html
More information about the keycloak-user
mailing list