We are trying to use Keycloak for identity brokering(ADFS - OIDC/SAML protocol) and setup a SSO functionality for our application.
Following great references such as Keycloak documentation and other posts from this group, we managed to steer our way in configuring keycloak in our local environment to authenticate a dummy client using OIDC/SAML idp. Since we also required HTTPS to talk to ADFS, we also modified the standalone.xml configuration file accordingly and added the self signed certificate to a keystore. Similarly, added the ADFS server certificate to a keystore and configured it under the spi truststore.
The challenge arose when trying to simulate the setup on docker by making changes to the standalone-ha.xml configuration file. Taking a similar approach, we generated self signed certificates for Keycloak and mounted them as suggested here. However, we are stuck with the below identity provider error message:
The logs are attached via pastebin for your reference. (link)
Any advise on resolving the error or the best practices to this setup is appreciated.
I did come across the post you are referring to, however, I haven’t yet tried backtracking. Will do and let you know how it goes.
I was also wondering, if this issue may lie with the keystore that contains the self signed certificates. As you know, when we mount the tls.crt and tls.key to the corresponding path, as mentioned in your SO answer, a keystore namely, https-keystore.jks is created at /opt/jboss/keycloak/standalone/configuration/keystores/. Since the standalone-ha.xml was configured to access application.keystore by default, I had edited the x509.sh to create keystores with my preferred password for the auto generated keystore and made necessary edits on the standalone-ha.xml file ( essentially replacing application.keystore with https-keystore.jks. Do you think this route had created additional errors resulting to the one mentioned in the post?
You need to understand TLS and roles in TLS connection: client/server.
Your browser/client is connecting to Keycloak/server. But there is also Keycloak/client connecting to another IDP/server (ADFS in your case). All clients need correct CA certificate(s) to be able verify TLS connection. It can be more complicated with X509 (mutual TLS/mTLS), where are also client certificates included and server verifies them. Also Java may have defined security and force to use some specific TLS version/ciphers. So there is many moving parts, where it can be wrong in your case - ¯\(ツ)/¯ and you need to verify them.
