[keycloak-user] Keycloak / Azure AD Federation
Jonas Weismueller
jw at blue-yonder.com
Fri Aug 25 06:39:27 EDT 2017
Sure, thanks a lot for your reply!
On 25.08.17 12:20, Hynek Mlnarik wrote:
> That is indeed a bug, could you please create JIRA for that?
>
> Thanks
>
> --Hynek
>
> On Fri, Aug 25, 2017 at 11:53 AM, Jonas Weismueller <jw at blue-yonder.com> wrote:
>> Hi,
>> any further information needed? I would like to get KC <-> Azure AD to
>> be connected. Otherwise we are sadly being obliged to look after another
>> IdP solution :(
>>
>> Cheers Jonas
>>
>> On 22.08.17 14:27, Jonas Weismueller wrote:
>>> Hi,
>>>
>>> we configured AzureAD to use our keycloak instance, like this:
>>>
>>>
>>>
>>> $cer="$our_cert_string"
>>>
>>> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
>>>
>>> $dom="test.domain.cloud"
>>>
>>> Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated
>>> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
>>> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
>>>
>>>
>>>
>>> When I know try to login on the azure portal, I get successfully
>>> redirected
>>> to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
>>> I get the following error from keycloak:
>>>
>>> 2017-08-22 11:49:47,735 DEBUG
>>> [org.hibernate.internal.util.EntityPrinter] (default task-3)
>>> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
>>> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
>>> sessionId=null, time=1503402587482, error=invalid_authn_request,
>>> type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}}
>>>
>>>
>>>
>>> The SAML AuthnRequest sent by M$ looks as follows:
>>>
>>> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
>>> (default task-3) <samlp:AuthnRequest
>>> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
>>> IssueInstant="2017-08-22T11:47:46.793Z"
>>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
>>> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
>>>
>>>
>>>
>>> What we can see, is that the destination (optional?) attribute is
>>> missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
>>>
>>>
>>>
>>> Why is keycloak doing some strict checking about the optional
>>> destination parameter?
>>>
>>>
>>>
>>> Cheers Jonas
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
More information about the keycloak-user
mailing list