I’m new in the Keycloak’s world and I need some help to configure my login flow.
I’ve configured Keycloak to allow people to login with their ADFS account or with a ldap account.
ADFS Identity Provider is configured to use OpenID Connect.
When people connect to my application, they are redirected to Keycloak where they see a login form and a button to login through ADFS.
This work perfectly, but we would like people not to see that screen if they are already logged in on ADFS and only see the login form if they’re not connected in ADFS.
I changed the browser flow to use the Identity Provider Redirector first and then display the username password form, in this case the user is automatically logged in via ADFS, but if the user is not logged in, ADFS asks for a password and the user is not redirected to Keycloak .
Do you know how can we configure Keycloak to implement that flow?
I’m using Keycloak 11.0.0-alfresco-001 (keycloak 11 packaged by alfresco (as alfresco-identity-service) with a custom theme. The code is available on Alfresco’s github .
Here’s my browser flow configuration:
IAM Browser flow
Thanks for your help
• Yes, its possible to configure keycloak to implement the desired flow as a brokered IdP in the following way: -
While configuring ADFS in keycloak and importing its federation metadata file in it, check the settings and enable validate the signature option for the authentication requests to be sent to ADFS, also enable ‘Want AuthnRequests’ signed option. Afterwards, set the signature key name field to CERT_SUBJECT as AD FS expects the signing key name hint to be the subject of the signing certificate.
Then check the mappers for group and attribute claims in keycloak for transforming the details through SAML assertion to keycloak user store.
After that, check the descriptor URI that needs to be set by modifying the ADFS redirect URI by adding the ‘/descriptor’ to the redirect URI in this field. The URI will be like ‘https://kc.domain.name:8443/auth/realms/master/broker/adfs-idp-alias/endpoint/descriptor’.
Also, please ensure that the signing certificate for the keycloak in ADFS claims provider is not self-signed and is issued from a trusted third-party CA and installed in the server’s local system certificate store.
Disable certificate revocation check for the certificate installed on the Adfs server and ensure ‘backchannel logout’ option is checked in keycloak
• Once the above settings are checked thoroughly, the default login redirection page should be displayed after that and the user should be able to select the IdP from the login page accordingly.
Please find the below links for more information: -
https://www.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
Keycloak AD FS Interaction
Related
I have next components:
RP-1 (connected by Ws-Fed, WIF)
RP-2 (connected by SAML, Federation Provider, actially it is another ADFS)
MY-ADFS (ADFS Server 2019 as primary STS)
MY-IP (separate Identity Provider web service, Identity Server 4)
Thus, when I make a sing-out request from RP-1(Ws-Fed), a simple Ws-Fed Logout is formed a request to ADFS:
GET https:/MY-ADFS/adfs/ls/
wtrealm: https://RP-1.com/
wa: wsignout1.0
wreply: https://RP-1.com/logout/
Next ADFS makes redirect to IP:
GET https://MY-IP/WsFederation
wa: wsignout1.0
wreply: https://MY-ADFS/adfs/ls/?redirectContextId=2dd581d2-6e02-4476-915b-a581e3c855d4
thus the user clears the session from ADFS and from IP. - as expected.
However, if before the logout, the transition to SAML RP was made and the SAML session became active, then upon exiting ADFS gives an error:
MSIS7055: Not all SAML session participants logged out properly. It is
recommended to close your browser.
To fix it, I configured the logout endpoint (URL) in the SAML relying party trust as:
https:/RP-2/adfs/ls/?wa=wsignout1.0
With POST binding. After these changes, the error disappeared. But now ADFS no longer does make Logout redirec to to IP, but instead it does a SAML Logout redirect to RP-2:
POST https://RP-2/adfs/ls/?wa=wsignout1.0
SAMLRequest: PHNhbWxwOkxvZ291dFJl
And as a result, Instead of switching to IP, I remain on the RP-2(ADFS also) page where it is written that the exit was successful. However, the user still has an active session (cookies) on the IP side.
Several questions here:
It is not clear why ADFS changes the chain of calls with the SAML active session.
It is not clear how to exclude SAML Logout redirects, or force ADFS to make Logout to IP also.
You will have to add the logout URL in the IP (Identity provider) side as well to ensure that the SAML token generated by signing out from the SaaS application through ADFS is forwarded to the Identity provider and is updated for logout at IP authorization provider end. So that, the cookie on the browser will be updated and sign out will be processed smoothly.
Please find the below probable steps to update the logout URL at the Identity Provider end: -
Open the authentication provider workspace.
Find the logout URL.
Update the URL to the ‘https://RP-2/adfs/ls/?wa=wsignout1.0’ same as that configured in ADFS Server.
Save your changes.
And as for your first query why ADFS changes the chain of calls with SAML active session, it is because the cookies and cache must be removed from the system for successful logout request, thus the logout time as recorded when signing out is updated at the SaaS app end and thus, it is recommended to close the browser let it update in the system also.
Thus, recommend you open both the RP trust apps in different browser windows as both are configured for different token providers.
Please refer the below thread for more information: -
How do you handle the logout process for applications federated with ADFS?
Thanking you,
I am trying to configured SAML SSO with OpenAM as SP and PingFederate as IDP with SP-Initiated SSO and using Redirect-Post binding. I am using kerberos adapter for implementing SSO.
I have configured Kerberos adapter to use "e-glue.com" domain and provided KDC details in the configuration. I have also added "setspn" of Pingfederate server in domain controller properly.
However when I login to a computer with valid "e-glue.com" user and hit SSO url with "https://hostname.e-glue.com:1912/openam/saml2/jsp/spSSOInit.jsp?idpEntityID=ent-026330&metaAlias=/sp" it redirects me to IDP and SSO is successful and user gets created in openam.
But if I do the same thing with other domain.. which is not "e-glue.com", it still autheticates the user and user is created in openam.
This is so strange, there is something missing as the user which is not part of e-glue domain though we configured kerberos adapter to use e-glue.com KDC, is getting authenticated. I am missing something, not sure what.
Please share if you have any information about what is going wrong.
It happened because of inter-domain trust relationship.
PingFederate (IDP) is configured to authenticate users via "e-glue.com" domain.
So I logged in to my computer which was in domain "someother.domain".
But this "someother.domain" implemented an Active Directory directory service forest and has trust relationship between "e-glue.com" and itself. So all users logged in to IDP are also VALID users because of trust relationship.
It took me some time to understand this.
We are about to integrate our JAVA application with SSO Federation. We will get a metadata in SAML2 Assertion format and all the session tracking is taken care by SSO federation.
I am not clear how the session tracking happens with each request in our JAVA application. Our main page URL is configured in the SSO federation and after user clicks the link control comes to our application. So if I navigate to other URL apart from the one configured, how the federation track the session? Do we need to pass any metadata for each and every request?
We have been asked to share the home page URL and certificate information and SSO federation will configure those in their portal.
A Java application server normally trackes a user session using a 'JSESSIONID' cookie. Once the SAML assertion generated by an IDP(say ADFS) has been validated by the SP(the java application here) a security context /session is created which is identified by a JSESSIONID. The browser sends JSESSIONID cookie with seubsquest requests and the application verifies it and servers the requetsed resource/URL.
I have a client application (windows) which the user is logged into. From this application, the user will want to access a remote website using single sign-on (SAML) and will be authenticated by Microsoft WIF. To do this the user, will click a button which opens a local web browser, generates a SAML token (containing username and roles, etc) and makes a HTTP POST to a remote website to access it, signing them in.
I want the user to be signed-in automatically, based on their credentials from the windows application.
I know roughly how to generate the SAML token, but presume this requires the signing certificate to be installed on the local PC, which would need to be installed into all PCs in my Company.
Installing this certificate doesn't seem quite right. How else can I safely allow users to generate a SAML token which will be accepted by the Service Provider (via single sign-on)?
UPDATE:
The user is not authenticated into the Windows Application using Windows Authentication (Kerberos), we make a custom SQL call to a database of username/password.
In the win app, we will know the username and their roles, so could generate claims from this, or pass it to a remote STS to generate and sign the SAML token. But again passing this data across to the STS seems totally wrong again.
The signing certificate must not be on the user desktop. Otherwise, any user could potentially generate a SAML token with the userid it wants.
What you want is a Secure Token Service (STS): an identity provider that will authenticate your user through Kerberos (as you want to re-use the identity of the logged-on user) and give you a signed SAML token.
All of this could be done when you open a web view in your application. The starting url should be the Identity Provider endpoint for IDP-initiated SSO, with a url parameter identifying the service you want to access.
I am using Thinktecture identity server v3 for authentication and authorization. It works good with local database. I added external identity provider as ADFS. It also works good but it asks credentials for intranet users. My requirement is automatically login the intranet users without asking credentials. If the user is internet user, it asks for credentials. Is it possible?
This is unrelated to IdentityServer3. Your browser and ADFS need to be configured correctly to use Windows integrated authentication.