[keycloak-user] Keycloak / Azure AD Federation

Hynek Mlnarik hmlnarik at redhat.com
Fri Aug 25 06:20:47 EDT 2017


That is indeed a bug, could you please create JIRA for that?

Thanks

--Hynek

On Fri, Aug 25, 2017 at 11:53 AM, Jonas Weismueller <jw at blue-yonder.com> wrote:
> Hi,
> any further information needed? I would like to get KC <-> Azure AD to
> be connected. Otherwise we are sadly being obliged to look after another
> IdP solution :(
>
> Cheers Jonas
>
> On 22.08.17 14:27, Jonas Weismueller wrote:
>> Hi,
>>
>> we configured AzureAD to use our keycloak instance, like this:
>>
>>
>>
>> $cer="$our_cert_string"
>>
>> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
>>
>> $dom="test.domain.cloud"
>>
>> Set-MsolDomainAuthentication -DomainName $dom  -Authentication Federated
>> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
>> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
>>
>>
>>
>> When I know try to login on the azure portal, I get successfully
>> redirected
>> to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
>> I get the following error from keycloak:
>>
>> 2017-08-22 11:49:47,735 DEBUG
>> [org.hibernate.internal.util.EntityPrinter] (default task-3)
>> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
>> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
>> sessionId=null, time=1503402587482, error=invalid_authn_request,
>> type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}}
>>
>>
>>
>> The SAML AuthnRequest sent by M$ looks as follows:
>>
>> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
>> (default task-3) <samlp:AuthnRequest
>> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
>> IssueInstant="2017-08-22T11:47:46.793Z"
>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
>> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
>>
>>
>>
>> What we can see, is that the destination (optional?) attribute is
>> missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
>>
>>
>>
>> Why is keycloak doing some strict checking about the optional
>> destination parameter?
>>
>>
>>
>> Cheers Jonas
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek


More information about the keycloak-user mailing list