[keycloak-user] Server 2016 ADFS won't accept descriptor

Hynek Mlnarik hmlnarik at redhat.com
Thu Jul 27 01:50:41 EDT 2017 

Just for info - I have just tried to setup AD FS 2012 according to the blog
post and there was no import error or anything reported, everything just
worked as it should. Did you manage to find out what was causing you the
issues?

--Hynek

On Fri, Jul 21, 2017 at 8:51 PM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:

> In that case I don't think it is Keycloak issue but rather a AD FS or
> setup issue. Reportedly, there are people using AD FS 2016 brokering (see
> [1]) so there must be something else in the way. I'm curious what that can
> be. Firewall? Not using https? Using IP addresses instead of domain names?
> Just guessing, I don't know, and will be glad if you find out and share.
>
> --Hynek
>
> [1] http://lists.jboss.org/pipermail/keycloak-user/2017-March/010138.html
>
> On Fri, Jul 21, 2017 at 4:25 PM, John Craft <John.Craft at geocent.com>
> wrote:
>
>> Yep, it reports as valid.
>>
>>
>> This isn't supposed to be difficult.
>>
>>
>> I entered the params manually, it seemed to take them.  I'll know more
>> when I finish and try the brokered connection.
>>
>>
>> Thanks.
>>
>>
>> JC.
>>
>>
>>
>>
>> ------------------------------
>> *From:* Hynek Mlnarik <hmlnarik at redhat.com>
>> *Sent:* Friday, July 21, 2017 8:00 AM
>> *To:* John Craft
>> *Subject:* Re: [keycloak-user] Server 2016 ADFS won't accept descriptor
>>
>> Have you tried the descriptor validation?
>>
>> On Fri, Jul 21, 2017 at 2:29 PM, John Craft <John.Craft at geocent.com>
>> wrote:
>>
>>> Sorry, I never get past the part in ADFS to set up the trust
>>> relationship.   There is no event log as it never accepts the keycloak
>>> descriptor.
>>>
>>>
>>>
>>> John Craft
>>> Senior Software Engineer, GISP
>>> Geocent, LLC
>>> Cell : 601-299-1830 <(601)%20299-1830>
>>> Stennis Space Center MS
>>> www.geocent.com | John.Craft at Geocent.com
>>>
>>> On Jul 21, 2017, at 7:05 AM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:
>>>
>>> Thanks. I am afraid more details would be needed, those from Windows
>>> Event Viewer. Furthermore, the descriptor should pass "metadata" type of
>>> validation [1], you can try that. If the descriptor passes, there is not
>>> much to be done on Keycloak side.
>>>
>>> [1] https://www.samltool.com/validate_xml.php
>>>
>>> On Fri, Jul 21, 2017 at 1:43 PM, John Craft <John.Craft at geocent.com>
>>> wrote:
>>>
>>>>
>>>> What is the Keycloak version?
>>>>
>>>> 3.1.0.Final
>>>>
>>>> What is URL for "help docs" - AFAIK
>>>> there is only a blog post and no docs within Keycloak documentation.
>>>>
>>>> http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as
>>>> -brokered.html
>>>>
>>>> <http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html>
>>>> Keycloak: How to Setup MS AD FS 3.0 as Brokered Identity ...
>>>> <http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html>
>>>> blog.keycloak.org
>>>> This document guides you through initial setup of Microsoft Active
>>>> Directory Federation Services 3.0 as a brokered identity provider Keycloak.
>>>> Keycloak server has ...
>>>>
>>>>
>>>> What error is reported by ADFS?
>>>>
>>>> Details of the error can usually be
>>>> found in Windows Event Viewer.
>>>> <pastedImage.png>
>>>>
>>>>
>>>>
>>>> --Hynek
>>>>
>>>> On Fri, Jul 21, 2017 at 3:28 AM, John Craft <John.Craft at geocent.com>
>>>> wrote:
>>>> > I've installed Windows Server 2016 with ADFS.  When I try to create
>>>> the trust as per the Keycloak help docs, ADFS reports the descriptor as
>>>> malformed.  Anybody had experience with this?
>>>> >
>>>> > John Craft
>>>> > Senior Software Engineer, GISP
>>>> > Geocent, LLC
>>>> > Cell : 601-299-1830 <(601)%20299-1830>
>>>> > Stennis Space Center MS
>>>> > www.geocent.com | John.Craft at Geocent.com
>>>> Geocent <http://www.geocent.com/>
>>>> www.geocent.com
>>>> Software Engineering. Custom Software; Service Oriented Architecture
>>>> (SOA) Business Intelligence and Analytics; Geospatial Information Systems;
>>>> Mobile Application ...
>>>>
>>>>
>>>> >
>>>> > Confidentiality Notice:
>>>> > This email communication may contain confidential information, may be
>>>> legally privileged, and is intended only for the use of the intended
>>>> recipients(s) identified. Any unauthorized review, use, distribution,
>>>> downloading, or copying of this communication is strictly prohibited. If
>>>> you are not the intended recipient and have received this message in error,
>>>> immediately notify the sender by reply email, delete the communication, and
>>>> destroy all copies. Thank you.
>>>> >
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> keycloak-user Info Page - JBoss Developer
>>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>> lists.jboss.org
>>>> To see the collection of prior postings to the list, visit the
>>>> keycloak-user Archives. Using keycloak-user: To post a message to all the
>>>> list members ...
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> --Hynek
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> --Hynek
>>>
>>>
>>
>>
>> --
>>
>> --Hynek
>>
>
>
>
> --
>
> --Hynek
>



-- 

--Hynek

More information about the keycloak-user mailing list