Keycloak as a broker between Application that only accepts OIDC, and ADFS which has been setup as SAML

Securing applications
, , ,
1

Good day,

I am having issues trying to setup Keycloak as a broker between an Application which only accepts OIDC, and ADFS which has been setup with SAML.

I was originally under the assumption about the following:

  1. IDENTITY PROVIDER (MS ADFS) <> SAML <> SERVICE PROVIDER (KEYCLOAK)
  2. SERVICE PROVIDER (KEYCLOAK) <> OIDC <> APPLICATION

But upon reading multiple topics, I may have been mistaken about which is the Idp and which is the Service Provider.

Can I get confirmation on if this information is correct?

Environment:
Keycloak is running as a docker container, with ssl certificates and a ms sql server database.
Keycloak image: Quay
Sql Server image: Microsoft Artifact Registry

Application: Latest version, which accepts all latest OIDC configuration settings

ADFS: not entirely sure which version which is being used.

Furthermore, these have been the steps taken so far:

For Keycloak to Application [OIDC]

  1. Created a realm for the Application.
  2. Created a Client in the realm, and activated client authentication with service accounts roles as the authentication flow.
  3. Went to realm settings, and retrieved the " OpenID Endpoint Configuration" url link required by the Application
  4. Placed this url link, along with the client id and client secret, in the oidc configuration setup of the Application

[Current error: when trying to access keycloak from the application, it says incorrect parameters for redirect uri]

For ADFS to Keycloak [SAML]

  1. Retrieved Metadata xml file from ADFS
  2. Opened Identity Providers in Keycloak, created a new idenity, and then imported the Metadata xml file from ADFS.
  3. Then downloaded the Keycloak SAML metadata xml file and imported it in ADFS

[Current error: cannot confirm if this connection has actually occurred]

Any assistance will be greatly appreciated,
kind regards

2

From the point of view of your application, the is only keycloak, so you can try configuring this relationship first.

The error you reported (_ incorrect parameters for redirect uri_) can be solved by checking which redirect_uri your application is setting in the OIDC authorization request. (just check the URl on the browser on the screen of the error, see what is in the redirect_uri parameter).

Set that value as a valid redirect uri in the client configuration at keycloak.

Create some test users on keycloak and check if your application can login correclty.

With that working 100%, you can now configure the external identity provider. When it is configured, users will see an option to use that provider instead of username and password.