[keycloak-user] ADFS integration issue

Dmitry Korchemkin moon3854 at gmail.com
Wed Mar 29 08:55:27 EDT 2017


Ok, so i double checked this behaviour and i'm indeed providing correct
link to the ADFS (directly from browser with xml opened). What's
interesting, is that while this error appears in Keycloak, ADFS seems to be
importing everything just fine, so it doesn't look like it's  affecting
anything.

It looks like ADFS is first checking whether the user provided a link to
another ADFS (but maybe omitted the /federationmetadata/* part) and when it
fails to find anything there it uses the link as provided. I can back this
claim with a little observation - when given a fake url, it generates two
errors within Keycloak instead of just one for the correct url:

1) Exception handling request to
/auth/realms/saml-broker-authentication-realm/broker/adfs-localll/endpoint/descriptor/FederationMetadata/2007-06/FederationMetadata.xml:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.broker.provider.IdentityBrokerException: Identity Provider
[adfs-localll] not found.

2) Exception handling request to
/auth/realms/saml-broker-authentication-realm/broker/adfs-localll/endpoint/descriptor:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.broker.provider.IdentityBrokerException: Identity Provider
[adfs-localll] not found.

As you can see, first it fails to import xml from "ADFS-style" path, then
it fails to get xml from the link i actually gave it. Not sure why
Microsoft added this bit of behaviour, but it seems mostly harmless so far.

2017-03-28 22:01 GMT+03:00 Hynek Mlnarik <hmlnarik at redhat.com>:

> It is the other way round - as RESTEASY003210 was found in keycloak's
> log, something (maybe ADFS) attempted to access the nonexistent URL in
> Keycloak.
>
> I don't know about W2016 as I don't have it anywhere so I cannot check
> whether import does not try ADFS-like descriptor url (that part after
> .../descriptor/) automatically. AFAIK, W2012 does not do that, at
> least I've not been able to reproduce this behaviour. I'm no ADFS
> expert though.
>
> Did you enter exactly
> "https://10.0.2.2:8443/auth/realms/saml-broker-
> authentication-realm/broker/saml/endpoint/descriptor"
> for the import URL in relying trust party setup? Can you please double
> check? If the same issue happens again, I'll update the blog with a
> new "common issue".
>
> Thanks,
>
> --Hynek
>
>
> On Tue, Mar 28, 2017 at 4:44 PM, Marc Boorshtein
> <marc.boorshtein at tremolosecurity.com> wrote:
> >> 15:06:57,850 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
> >> task-3) RESTEASY002010: Failed to execute:
> javax.ws.rs.NotFoundException:
> >> RESTEASY003210: Could not find resource for full path:
> >> https://10.0.2.2:8443/auth/realms/saml-broker-
> authentication-realm/broker/saml/endpoint/descriptor/
> FederationMetadata/2007-06/FederationMetadata.xml
> >>
> >
> > looks like keycloak is trying to load adfs' metadata so use
> > https://adfs.server.com/FederationMetadata/2007-06/
> FederationMetadata.xml
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek
>


More information about the keycloak-user mailing list