[keycloak-user] Keycloak Java adapter & ADFS
Hynek Mlnarik
hmlnarik at redhat.com
Thu Apr 27 05:11:10 EDT 2017
No, this should not be a problem. Adapters do not set the value of
KeyName element (which is controlled by the SAML Signature Key Name
field). If KeyName is unset, ADFS should be able to determine the
correct certificate for signature validation itself by iterating all
available certificates.
--Hynek
On Thu, Apr 27, 2017 at 12:01 AM, Cat Mucius <cat at mucius.tk> wrote:
> Good day,
> I'm trying to get Keycloak Java adapter (on SP side) working with Microsoft
> ADFS (on IdP side).
> As I understood, ADFS expects to receive <KeyInfo> element in <Signature> of
> SAMLRequest in specific format:
> "Importantly, then the SAML Signature Key Name field that shows after
> enabling the Want AuthnRequests Signed option has to be set to CERT_SUBJECT
> as AD FS expects the signing key name hint to be the subject of the signing
> certificate."
> blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
>
> But the Java adapter sends <KeyInfo> in another format – the <KeyValue>
> format:
> <dsig:KeyInfo>
> <dsig:KeyValue>
> <dsig:RSAKeyValue>
> <dsig:Modulus>gLOdl9d0CGelhcIkOa…s4Hj4N6xEjQG/bQ==</dsig:Modulus>
> <dsig:Exponent>AQAB</dsig:Exponent>
> </dsig:RSAKeyValue>
> </dsig:KeyValue>
> </dsig:KeyInfo>
>
> So I have two questions:
> a. Is it really a problem? Has anyone used the Java adapter successfully to
> authenticate against ADFS?
> b. If it is, is there a way to instruct the adapter to send <KeyInfo> in
> some another format?
>
>
> Thanks,
> Mucius.
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
More information about the keycloak-user
mailing list