My Problem statement is as below.
I am trying to connect the Microsoft ADFS - an external SAML based Identity Provider with Keycloak for Identity Brokering. I created a SAML Identity Provider for ADFS from my Keycloak Service Provider and configured all the SSO endpoints.
When I am trying to login that realm with the credentials using the IdP at that time I redirected to the IdP Login Page and authenticated by IdP and redirected back to the Keycloak Page which shows me that
We’re sorry… invalidFederatedIdentityActionMessage
I checked all the XML Documents exchanged in between using the SAML Tracer and decrypted the SAML which contains status success as below.
<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /> </samlp:Status>
Solutions I already tried but not worked are -
- Turn on/off Validating Signatures (X509 Certificates)
- X-Forwarded-Proto: http" instead of "X-Forwarded-Proto: https
- PROXY_ADDRESS_FORWARDING=true in ENV variable
I have one doubt about set-up multiple endpoints for clients. ( I am not sure this might solve issue or not )
I have only one endpoint available which is
- OpenID Endpoint Configuration.
Where as in other places I found multiple endpoints one as
- OpenID Endpoint Configuration
- SAML 2.0 Identity Provider Metadata
So can someone please guide me the solution for this issue.
Thanks in advance.