[keycloak-user] Keycloak Broker - OIDC client with SAML2 identity provider

Hynek Mlnarik hmlnarik at redhat.com
Thu Dec 7 19:13:45 EST 2017 

The Response status code has to
be urn:oasis:names:tc:SAML:2.0:status:Success and should include the SAML
assertion but is urn:oasis:names:tc:SAML:2.0:status:Responder instead.
Check ADFS logs on what went wrong.

On Mon, Dec 4, 2017 at 8:24 PM, Jimena Garbarino <jimena at gmail.com> wrote:

> Hi,
>
> Is it possible to configure an OpenID connect client for authentication,
> using Keycloak as a broker to a SAML2 identity provider (ADFS)?
>
> I am trying to do so, and after ADFS successful authentication, Keycloak
> always displays the login form.
> Thanks,
>
> 2017-12-04 19:16:08,150 DEBUG
> [org.keycloak.services.resources.IdentityBrokerService] (default task-31)
> Authorization code is valid.
> 2017-12-04 19:16:08,152 DEBUG [org.keycloak.saml.BaseSAML2BindingBuilder]
> (default task-31) saml document: <samlp:AuthnRequest
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
> AssertionConsumerServiceURL="
> https://localhost:8061/auth/realms/master/broker/adfs-idp-alias/endpoint"
> Destination="https://adfs/adfs/ls/" ForceAuthn="false"
> ID="ID_ad013a22-7c3b-4aa9-a8f9-3fcf6a7cb96b" IsPassive="false"
> IssueInstant="2017-12-04T19:16:08.151Z"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> Version="2.0"><saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
> https://localhost:8061/auth/realms/master</saml:Issuer><samlp:NameIDPolicy
> AllowCreate="true"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:
> AuthnRequest>
> 2017-12-04 19:16:08,153 DEBUG
> [org.keycloak.services.resources.IdentityBrokerService] (default task-31)
> Identity provider [org.keycloak.broker.saml.SAMLIdentityProvider at 678796c4]
> is going to send a request
> [org.jboss.resteasy.specimpl.BuiltResponse at 5976b246].
> 2017-12-04 19:16:08,153 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
> JtaTransactionWrapper  commit
> 2017-12-04 19:16:08,153 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
> JtaTransactionWrapper end
> 2017-12-04 19:16:08,347 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-64) new
> JtaTransactionWrapper
> 2017-12-04 19:16:08,348 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-64) was
> existing? false
> 2017-12-04 19:16:08,349 DEBUG [org.keycloak.saml.SAMLRequestParser]
> (default task-64) SAML Redirect Binding
> 2017-12-04 19:16:08,349 DEBUG [org.keycloak.saml.SAMLRequestParser]
> (default task-64) <samlp:Response
> ID="_ac706804-f304-4153-88e0-07aee06dd4e6" Version="2.0"
> IssueInstant="2017-12-04T19:16:08.360Z" Destination="
> https://localhost:8061/auth/realms/master/broker/adfs-idp-alias/endpoint"
> Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
> InResponseTo="ID_ad013a22-7c3b-4aa9-a8f9-3fcf6a7cb96b"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> http://adfs/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Responder"
> /></samlp:Status></samlp:Response>
> 2017-12-04 19:16:08,350 DEBUG
> [org.keycloak.services.resources.IdentityBrokerService] (default task-64)
> Got authorization code from client [oidc-client].
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.services.resources.IdentityBrokerService] (default task-64)
> Authorization code is valid.
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.AuthenticationProcessor] (default task-64)
> AUTHENTICATE
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.AuthenticationProcessor] (default task-64)
> AUTHENTICATE ONLY
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
> processFlow
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
> check execution: auth-cookie requirement: ALTERNATIVE
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
> execution is processed
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
> check execution: auth-spnego requirement: DISABLED
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
> execution is processed
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
> check execution: identity-provider-redirector requirement: ALTERNATIVE
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
> execution is processed
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
> check execution: null requirement: ALTERNATIVE
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
> execution is flow
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
> processFlow
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
> check execution: auth-username-password-form requirement: REQUIRED
> 2017-12-04 19:16:08,351 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-64)
> authenticator: auth-username-password-form
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek

More information about the keycloak-user mailing list