Keycloak as a broker between Application that only accepts OIDC, and ADFS which has been setup as SAML

Good day,

I am having issues trying to setup Keycloak as a broker between an Application which only accepts OIDC, and ADFS which has been setup with SAML.

I was originally under the assumption about the following:


But upon reading multiple topics, I may have been mistaken about which is the Idp and which is the Service Provider.

Can I get confirmation on if this information is correct?

Keycloak is running as a docker container, with ssl certificates and a ms sql server database.
Keycloak image: Quay
Sql Server image: Microsoft Artifact Registry

Application: Latest version, which accepts all latest OIDC configuration settings

ADFS: not entirely sure which version which is being used.

Furthermore, these have been the steps taken so far:

For Keycloak to Application [OIDC]

  1. Created a realm for the Application.
  2. Created a Client in the realm, and activated client authentication with service accounts roles as the authentication flow.
  3. Went to realm settings, and retrieved the " OpenID Endpoint Configuration" url link required by the Application
  4. Placed this url link, along with the client id and client secret, in the oidc configuration setup of the Application

[Current error: when trying to access keycloak from the application, it says incorrect parameters for redirect uri]

For ADFS to Keycloak [SAML]

  1. Retrieved Metadata xml file from ADFS
  2. Opened Identity Providers in Keycloak, created a new idenity, and then imported the Metadata xml file from ADFS.
  3. Then downloaded the Keycloak SAML metadata xml file and imported it in ADFS

[Current error: cannot confirm if this connection has actually occurred]

Any assistance will be greatly appreciated,
kind regards

From the point of view of your application, the is only keycloak, so you can try configuring this relationship first.

The error you reported (_ incorrect parameters for redirect uri_) can be solved by checking which redirect_uri your application is setting in the OIDC authorization request. (just check the URl on the browser on the screen of the error, see what is in the redirect_uri parameter).

Set that value as a valid redirect uri in the client configuration at keycloak.

Create some test users on keycloak and check if your application can login correclty.

With that working 100%, you can now configure the external identity provider. When it is configured, users will see an option to use that provider instead of username and password.