Configure MS ADFS 3.0 as Brokered Identity Provider in Keycloak¶
Configure the Keycloak Server for SSL/TLS Transport¶
- Set the Keycloak HTTPS port to
443
. - In order to enable outgoing HTTPS connections, export the ADFS certificate into a Java truststore:
- In the ADFS management console, go to
Service/Certificates node
and export the service communications certificate. - Import the certificate into a Java truststore (JKS format) using the Java keytool utility.
- Setup the truststore in Keycloak as described in Keycloak Server Installation.
- In the ADFS management console, go to
Configure the Identity Provider in Keycloak¶
Configure Basic Properties of a Brokered Identity Provider¶
-
Open the Keycloak web interface.
-
Log on as administrator.
-
Click
Identity Providers
and add a new SAML v.2.0 provider.Hint - memorize alias
Do not forget the provider alias you entered, you will need it later!
-
Scroll to the bottom of the page.
-
In
Import from URL
, enter the ADFS descriptor URL:https://<ADFSdomainname>/FederationMetadata/2007-06/FederationMetadata.xml
-
Click
Import
and check the settings.- The following settings are to be enabled:
Backchannel Logout
HTTP-POST Binding Response
HTTP-POST Binding for AuthnRequest
Validate Signature
- The following settings are to be enabled:
-
If the authentication requests sent to the ADFS instance are expected to be signed, enable the
Want AuthnRequests Signed
option. Set theSAML Signature Key Name
field, that shows after enabling theWant AuthnRequests Signed
option toCERT_SUBJECT
, because ADFS expects the signing key name hint to be the subject of the signing certificate. -
If the ADFS is set up to respond with
name
ID in the Windows Domain Qualified Name format, set theNameID Policy Format
field accordingly.
Configure Mappers¶
ADFS sends email information in SAML assertion.
To transform these and other details from SAML document issued by ADFS to the Keycloak user store, set up mappers in the Mappers
tab of the identity provider:
-
For
email
the mapper is of typeAttribute Importer
. Map the user attributeemail
tohttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
. -
For
username
the mapper is of typeUsername Template Importer
. Map the user attributeusername
to${ATTRIBUTE.http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname}
. -
For
surname
the mapper is of typeAttribute Importer
. Map the user attributelastName
tohttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
. -
For
given name
the mapper is of typeAttribute Importer
. Map the user attributefirstName
tohttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
.
Obtain Information for the ADFS Configuration¶
-
Specify the SAML service provider descriptor URI that is used in ADFS setup from the
Redirect URI
field in the identity provider by adding/descriptor
to the URI in this field. -
The URI is similar to
-
https://<Keycloak domain name>/auth/realms/master/broker/<identity provider alias>/endpoint/descriptor
.Hint - URI check
Check the naming of the URI by entering the URI into the browser. As a result, you should receive a SAML service provider XML descriptor.
-
Configure Relying Party Trust in ADFS¶
Configure Relying Party¶
-
In the ADFS management console, click
Trust relationships/Relying Party Trusts
. -
Select
Add Relying Party Trust
. -
A wizard opens.
-
Enter the SAML descriptor URL obtained in the previous step into the
Federation metadata
address field. -
Import the ADFS the settings.
-
Proceed with the wizard, and adjust the settings where appropriate.
Hint - further settings
Use only the default settings. You have to edit the
claim rules
. Leave the checkbox of the last page of the wizard on.
Configure Claim Mapping¶
Now, the SAML protocol would proceed correctly, ADFS would be able to correctly authenticate the users according to requests from Keycloak but the requested name ID format is not yet recognized and SAML response would not contain any additional information like e-mail. It is hence necessary to map claims from AD user details into SAML document.
We will set up two rules: one for mapping the user ID and a second one for mapping the standard user attributes. All start by clicking the Add Rule
button in the Edit Claim Rules dialog.
Rule for Mapping user ID
¶
- Open the
Edit Claim Rules
dialog. - In the
Add Transform Claim Rule
dialog, selectTransform an incoming claim
. -
Map the following attributes:
Name ID
asrule name
Windows account name
for propertyIncoming claim type
Name ID
for propertyOutgoing claim type
Windows qualified Domain Name
for propertyOutgoing name ID format
-
Click
Finish
to add the rule.
Rule for Mapping the Attributes of the Standard User¶
- Open the
Edit Claim Rules
dialog. - In the
Add Transform Claim Rule
dialog, selectSend LDAP attributes as Claims rule
. -
Map the following attributes:
E-Mail-Addresses
toE-Mail Address
SAM-Account-Name
toSubject Name
- Your LDAP attributes for
surname
andgiven name
-
Add other attributes if needed.
Troubleshooting¶
Check the Communication between Keycloak and ADFS¶
-
Check if SAML messages are sent back and forth between Keycloak and ADFS in your a web browser and capture the communication messages. From the captured communication, you see the error status codes and the actual attribute names and values in SAML assertion necessary for setting up mappers.
Hint - SAML decoders
The SAML decoders are available as browser extensions (e. g. SAML Tracer for Firefox, SAML Chrome Panel for Google Chrome).
Example - unrecognized name ID format
Unless the name ID format is recognized, ADFS returns a SAML response containing the
urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy
status code.
Check the Log Files¶
- The ADFS log files are available in the event viewer:
Applications and Services Logs/ADFS/Admin
- For Keycloak, enable tracing of the SAML processing by connecting to the running Keycloak instance:
jboss-cli.sh
-
Enter the following commands:
/subsystem=logging/logger=org.keycloak.saml:add(level=DEBUG) /subsystem=logging/logger=org.keycloak.broker.saml:add(level=DEBUG)
SAML messages and broker-related SAML processing messages are displayed in the Keycloak server log.
Literature - SEAL Print Client knowledge base
For further information and known problems, refer to SEAL Print Client Knowledge Base.