[keycloak-user] Keycloak Java adapter & ADFS

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[keycloak-user] Keycloak Java adapter & ADFS

Cat Mucius
Good day,

I'm trying to get Keycloak Java adapter (on SP side) working with Microsoft
ADFS (on IdP side).
As I understood from this article [1], ADFS expects to receive <KeyInfo>
element in <Signature> of SAMLRequest in specific format:
"Importantly, then the SAML Signature Key Name field that shows after
enabling the Want AuthnRequests Signed option has to be set to CERT_SUBJECT
as AD FS expects the signing key name hint to be the subject of the signing
certificate."

But the Java adapter sends <KeyInfo> in another format – the <KeyValue>
format [2]:
<dsig:KeyInfo>
    <dsig:KeyValue>
        <dsig:RSAKeyValue>

        <dsig:Modulus>gLOdl9d0CGelhcIkOa…s4Hj4N6xEjQG/bQ==</dsig:Modulus>
            <dsig:Exponent>AQAB</dsig:Exponent>
        </dsig:RSAKeyValue>
    </dsig:KeyValue>
</dsig:KeyInfo>

So I have two questions:
a. Is it really a problem? Has anyone used the Java adapter successfully to
authenticate against ADFS?
b. If it is, is there a way to instruct the adapter to send <KeyInfo> in
some another format?

Thanks,
Mucius.

Links:
[1]
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
[2] http://coheigea.blogspot.co.il/2013/03/signature-and-encryption-key.html
_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] Keycloak Java adapter & ADFS

kedward777
This post has NOT been accepted by the mailing list yet.
Did you ever get the Keycloak java adapter working with the ADFS? Lessons learned?