[keycloak-user] Keycloak / Azure AD Federation
Jonas Weismueller
jw at blue-yonder.com
Tue Aug 22 08:27:17 EDT 2017
Hi,
we configured AzureAD to use our keycloak instance, like this:
$cer="$our_cert_string"
$uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
$dom="test.domain.cloud"
Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated
-ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
-IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
When I know try to login on the azure portal, I get successfully
redirected
to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
I get the following error from keycloak:
2017-08-22 11:49:47,735 DEBUG
[org.hibernate.internal.util.EntityPrinter] (default task-3)
org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
sessionId=null, time=1503402587482, error=invalid_authn_request,
type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}}
The SAML AuthnRequest sent by M$ looks as follows:
2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
(default task-3) <samlp:AuthnRequest
ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
IssueInstant="2017-08-22T11:47:46.793Z"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
What we can see, is that the destination (optional?) attribute is
missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
Why is keycloak doing some strict checking about the optional
destination parameter?
Cheers Jonas
More information about the keycloak-user
mailing list