Reputation: 640
Keycloak AD FS Interaction
I created a SAML Identity Provider in Keycloak. The single signon url is https://[URL]/adfs/ls as stated in the FederationMetadata.xml.
If I am now using the Keycloak-User-Login I see a link, where I'll be redirected to the single signon page, but after that I get an error, because I didn't specify any query parameter like wa=signin1.0 or whr=https:\\foo\adfs\services\trust or wtrealm=https:\\sso.foo.bar
If I am including this parameters into the signle signon url correctly, I can login, but keycloak doesn't recognise what happened.
As it seems to me the URL confgured as single signon url does nothing and the Identity Provider as I have configured it in Keycloak is useless.
Can anyone help me with some pointers, to increase my understanding of the interaction between AD FS and keycloak and how they work together?
Upvotes: 3
Views: 7758
Answers (1)
Reputation: 1705
I recently worked on a project where we set up KeyCloak to act as an SP to ADFS IdP.
We were only able to get the SAML requests to process correctly when the following settings were set:
IdP URL: ${IDP_URL}/adfs/ls/
NameID Policy Format: persistent
WantAuthnRequestsSigned: true
WantAssertionsSigned: true
SignatureAlgorithm: RSA_SHA256
SAMLSignatureKeyName: CERT_SUBJECT
In addition to updating the NameID Policy within KeyCloak (as SP), we also had to have custom settings on the IdP side to ensure the NameID was sent back as format persistent.
Upvotes: 2
Related Questions
- keycloak integration with Azure AD for webapp authentication
- Creating an ADFS authentication flow in internal corporate wiki
- Connecting keycloak with Active Directory with SAML IDP sends empty response
- Keycloak - ADFS SAML Automatic Certificate Rollover
- Keycloak AD FS login without user interaction
- SAML SSO WITH ADFS IN C#
- ADFS in asp.net c#
- ADFS as a SAML Service Provider
- How can I configure ADFS on my windows server machine system?
- ADFS 2.0, SSO and SAML 2.0