IDP initiated SSO from ADFS (Active Directory Federation Service) to Keycloak is having error

ShabeerK · November 16, 2023, 11:53am

I am configuring an ADFS SSO login to Keycloak.

Problem Statement:
Implement IDP initiated SSO login from Active Directory Federation Service (ADFS) to Keycloak.
After initiating the login from adfs, the saml response is passed, on the keycloak side the response is not accepted. The error from Keycloak indicates an issue in the Format of the SAML response.

I have deployed my Keycloak using the helm chart (1.16.0) in the Kubernetes cluster.

After setting the ADFS relying party (Endpoint given : https*://aut**o. com /realms/AdfsSSO/broker/samladfs/endpoint/clients/idpsso )and claim issuance policy, I have tried login from the adfs aspx page and saml response was generated.

But from the Keycloak I was getting “We are sorry, Invalid Requester” message.

I was getting the below log from the Keycloak logs:
ERROR [org.keycloak.broker.saml.SAMLEndpoint] (executor-thread-46) no principal in assertion; expected: SUBJECT
2023-11-10 WARN [org.keycloak.events] (executor-thread-46) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=34085c5-2b014594336a, clientId=null, userId=null, ipAddress=10..28, error=invalid_saml_response, authSessionParentId=57e11***9864, authSessionTabId=QfRw20wXtO0

Section of SAML response from ADFS :
<Subject>
<SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<SubjectConfirmationData NotOnOrAfter=“20***06:56:11.984Z”
Recipient=“https://aut**o.com/realms/AdfsSSO/broker/samladfs/endpoint/clients/idpsso”
/>
</SubjectConfirmation>
</Subject>

Please help to resolve the issue.

KCnewb · November 16, 2023, 2:20pm

I assume the ADFS Server is your IdP(?):

Create a Claim → email to NameID (or what you like, sAMAccontName, etc.) on the ADFS Server RPT
On Keycloak go to identity Provider - NameID Policy Format = Email, Principal Type = Subject NameID
SAML signature Key = CERT_SUBJECT
Want Assertions signed, want Assertions encrypted.

This should help alreay.
Your KC cant see the NameID, therefore it doesn’t know the principal.

ShabeerK · November 17, 2023, 5:46am

Hi,

The NameID format is already been configured in the identity provider.

In the claim issuance policy, I have added the last line now.

In the client, i have updated as below
SAML signature key name : CERT_SUBJECT

Also enabled Want Assertions signed, want Assertions encrypted.

I am still getting the error:
The assertion is not encrypted, which is required.
2023-11-17 05:30:27,275 WARN [org.keycloak.events] (executor-thread-50) type=IDENTITY_PROVIDER_RESPONSE_ERROR,

When disabling ‘Want Assertions encrypted’, I get below error:
no principal in assertion; expected: SUBJECT
2023-11-17 05:33:14,565 WARN [org.keycloak.events] (executor-thread-50) type=IDENTITY_PROVIDER_RESPONSE_ERROR.

Please share your thoughts

Topic		Replies	Views
An internal error has occurred - "Could not process response from SAML identity provider" Getting advice saml	2	2044	April 13, 2021
"invalid Federated Identity Action Message" while connecting with SAML based IdP Getting advice authentication , client-configuration , identity-brokering , saml	5	4115	February 3, 2022
Getting Error as invalid Federated Identity Action Message when using Keycloak to connect with SAML based Identity Provider authentication , identity-brokering , saml	0	820	November 30, 2021
Keycloak as SAML sp - login loop on failure saml	2	2233	June 8, 2021
Configure ADFS as SP (Client) in Keycloak Configuring the server authentication , user-federation , saml	13	4390	April 25, 2023

IDP initiated SSO from ADFS (Active Directory Federation Service) to Keycloak is having error

Related topics