Hi all.
I have Keycloak 23.0.4 configured with ADFS (SAML) as an IDP.
The mappings are configured so that from ADFS I receive data about email, first name, last name, as well as which groups the AD user belongs to
There is also a Giltab CE login client.
After I click LOGIN SSO on the page, it redirects to ADFS web, where I enter the user’s AD credentials. Then it redirects to the Keycloak web page, with the error Failed to process response.
In the log file there is an error
“ERROR [org.keycloak.protocol.saml.SamlProtocol]
(executor-thread-948) failed:
org.keycloak.common.VerificationException:
Client does not have a public key.”
What could be the problem?
ADFS config
“alias”: “saml”,
“displayName”: “ADFS”,
“internalId”: “0959e193-54aa-44d6-a89e-ebd0dadcbf52”,
“providerId”: “saml”,
“enabled”: true,
“updateProfileFirstLoginMode”: “on”,
“trustEmail”: false,
“storeToken”: false,
“addReadTokenRoleOnCreate”: false,
“authenticateByDefault”: false,
“linkOnly”: false,
“firstBrokerLoginFlowAlias”: “first broker login”,
“config”: {
“hideOnLoginPage”: “”,
“validateSignature”: “true”,
“samlXmlKeyNameTranformer”: “KEY_ID”,
“signingCertificate”: “sdiuvhbdfkvjbdfhbIUH&*hKJBHDLSDjcnlsdvhnkjsdvbksdhbvksbhgksdjngkjdfghkdf”,
“postBindingLogout”: “true”,
“nameIDPolicyFormat”: “urn:oasis:names:tc:SAML:2.0:nameid-format:persistent”,
“postBindingResponse”: “true”,
“singleLogoutServiceUrl”: “https://adfs.my-company.com/adfs/ls/”,
“backchannelSupported”: “true”,
“signatureAlgorithm”: “RSA_SHA256”,
“wantAssertionsEncrypted”: “false”,
“xmlSigKeyInfoKeyNameTransformer”: “CERT_SUBJECT”,
“useJwksUrl”: “true”,
“wantAssertionsSigned”: “false”,
“postBindingAuthnRequest”: “true”,
“forceAuthn”: “false”,
“singleSignOnServiceUrl”: “https://adfs.my-company.com/adfs/ls/”,
“wantAuthnRequestsSigned”: “true”,
“addExtensionsElementWithKeyInfo”: “false”,
“encryptionPublicKey”: “kehbcsuybisdyhvduvlsdvjxlcvjliG&#&ghuhfnldjvnxcljvnxcjkvnNIYHFIUHDOHLKJVLKJVLKCJVLKXJCVLKJXCVLKJCLVKJLC”