[keycloak-user] problem setting up identity brokering from Keycloak to ADFS

Hynek Mlnarik hmlnarik at redhat.com
Tue Mar 7 04:58:52 EST 2017 

What is your Keycloak and ADFS versions? What are the responses you receive from ADFS? Please enable logging of SAML messages to see them (see [1] how to do that).

A wild guess: does setting the "NameID Policy Format" [2] to "Windows Domain Qualified Name" help?

--Hynek

[1] https://issues.jboss.org/browse/KEYCLOAK-3932?focusedCommentId=13336560&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13336560
[2] https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/identity-broker/saml.html

On 03/03/2017 09:49 PM, Glenn Campbell wrote:
> Thank you for your suggestions. Making those changes seems to have solved that problem. I don't think I would have ever figured that out on my own.
>
> Now I'm on to the next problem. When I enter the login credentials on the SAML IdP login page I get an error in Keycloak and the log file has a "Could not process response from SAML identity provider" error message with a root cause of "No assertion from response".
>
> Do you have any suggestions on what I need to do to fix this problem?
>
> On Fri, Mar 3, 2017 at 3:34 AM, Hynek Mlnarik <hmlnarik at redhat.com <mailto:hmlnarik at redhat.com>> wrote:
>
>     Actually https matters, ADFS had been rejecting any SAML communication
>     with keycloak for me until https was enabled. Also for ADFS, there is
>     a special settings for KeyInfo element that needs to be set to
>     CERT_SUBJECT in SAML Signature Key Name option of SAML Identity
>     Provider settings [1].
>
>     [1] https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-broker/saml.html <https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-broker/saml.html>
>
>     On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell <campbellg at teds.com <mailto:campbellg at teds.com>> wrote:
>     > What is the correct way to set up identity brokering from Keycloak to ADFS?
>     > I’m new to ADFS so I suspect I’ve configured something incorrectly there.
>     >
>     > Here’s what I’ve done so far:
>     >
>     > 1) Installed ADFS.
>     > 2) Opened ADFS Management.
>     > 3) Walked through the ADFS Configuration Wizard.
>     > At one point in the process it asked which certificate I wanted to use. I
>     > didn’t have one so I went into IIS Manager and created a self-signed
>     > certificate. Then I came back to the ADFS Configuration Wizard and selected
>     > the newly created certificate.
>     > At the end of the process there was a list of configuration items that had
>     > been performed and they all had green checkmarks by them.
>     > Clicked Close.
>     >
>     > 4) At this point ADFS Management said I needed to configure a Trusted
>     > Relying Party so I went to Keycloak to start setting up that side of things.
>     > 5) Since the certificate used by ADFS is self-signed I exported it from IIS
>     > and imported it into the Wildfly jssecerts where Keycloak is running and
>     > restarted Wildfly/Keycloak.
>     > 6) Saved the ADFS FederationMetadata.xml via the url https://<adfs
>     > server>/FederationMetadata/2007-06/FederationMetadata.xml
>     > 7) In Keycloak admin console, on the Identity Providers page I chose “Add
>     > provider… SAML v2.0”
>     > 8) Entered an alias for the new IdP then in “Import from file -> Select
>     > File” I chose the FederationMetadata.xml that I acquired from the ADFS
>     > server.
>     > 9) Saved the IdP configuration.
>     > 10) Went to the Export tab of the newly created IdP and downloaded the xml
>     > config file.
>     >
>     > 11) At this point I went back to ADFS Management and followed the steps to
>     > create a Trusted Relying Party, choosing to import data about the relying
>     > party from the xml file exported from Keycloak.
>     > 12) For the rest of the Relying Party configuration I accepted the defaults.
>     >
>     > When I go to the url for my application I’m redirected to the Keycloak
>     > login screen where I select the Identity Provider I configured. I get a
>     > security certificate warning since the certificate from the server is
>     > self-signed but I choose to continue despite the warning. Then I get an
>     > error page saying there was a problem accessing the site. I don’t get the
>     > ADFS page where I would enter my login credentials.
>     >
>     > I don’t know if it matters but my application and Keycloak currently use
>     > http rather than https.
>     >
>     > Any help would be greatly appreciated.
>     > Thanks in advance,
>     > Glenn
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>     --
>
>     --Hynek
>
>

More information about the keycloak-user mailing list