IDP initiated SSO from ADFS (Active Directory Federation Service) to Keycloak is having error

I am configuring an ADFS SSO login to Keycloak.

Problem Statement:
Implement IDP initiated SSO login from Active Directory Federation Service (ADFS) to Keycloak.
After initiating the login from adfs, the saml response is passed, on the keycloak side the response is not accepted. The error from Keycloak indicates an issue in the Format of the SAML response.

I have deployed my Keycloak using the helm chart (1.16.0) in the Kubernetes cluster.

After setting the ADFS relying party (Endpoint given : https*://aut**o. com /realms/AdfsSSO/broker/samladfs/endpoint/clients/idpsso )and claim issuance policy, I have tried login from the adfs aspx page and saml response was generated.

But from the Keycloak I was getting “We are sorry, Invalid Requester” message.

I was getting the below log from the Keycloak logs:
ERROR [] (executor-thread-46) no principal in assertion; expected: SUBJECT
2023-11-10 WARN [] (executor-thread-46) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=34085c5-2b014594336a, clientId=null, userId=null, ipAddress=10..28, error=invalid_saml_response, authSessionParentId=57e11***9864, authSessionTabId=QfRw20wXtO0

Section of SAML response from ADFS :
<SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<SubjectConfirmationData NotOnOrAfter=“20***06:56:11.984Z”

Please help to resolve the issue.

I assume the ADFS Server is your IdP(?):

  • Create a Claim → email to NameID (or what you like, sAMAccontName, etc.) on the ADFS Server RPT
  • On Keycloak go to identity Provider - NameID Policy Format = Email, Principal Type = Subject NameID
  • SAML signature Key = CERT_SUBJECT
  • Want Assertions signed, want Assertions encrypted.

This should help alreay.
Your KC cant see the NameID, therefore it doesn’t know the principal.


The NameID format is already been configured in the identity provider.

In the claim issuance policy, I have added the last line now.

In the client, i have updated as below
SAML signature key name : CERT_SUBJECT

Also enabled Want Assertions signed, want Assertions encrypted.

I am still getting the error:
The assertion is not encrypted, which is required.
2023-11-17 05:30:27,275 WARN [] (executor-thread-50) type=IDENTITY_PROVIDER_RESPONSE_ERROR,

When disabling ‘Want Assertions encrypted’, I get below error:
no principal in assertion; expected: SUBJECT
2023-11-17 05:33:14,565 WARN [] (executor-thread-50) type=IDENTITY_PROVIDER_RESPONSE_ERROR.

Please share your thoughts