Keycloak AD FS 交互 [英] Keycloak AD FS Interaction
问题描述
我在 Keycloak 中创建了一个 SAML 身份提供程序.单点登录 URL 是 https://[URL]/adfs/ls,如FederationMetadata 中所述.xml.
I created a SAML Identity Provider in Keycloak. The single signon url is https://[URL]/adfs/ls as stated in the FederationMetadata.xml.
如果我现在使用 Keycloak-User-Login,我会看到一个链接,在那里我将被重定向到单点登录页面,但之后我收到一个错误,因为我没有指定任何查询参数,例如 wa=signin1.0 或 whr=https:\\foo\adfs\services\trust 或 wtrealm=https:\\sso.foo.bar
If I am now using the Keycloak-User-Login I see a link, where I'll be redirected to the single signon page, but after that I get an error, because I didn't specify any query parameter like wa=signin1.0 or whr=https:\\foo\adfs\services\trust or wtrealm=https:\\sso.foo.bar
如果我将这个参数正确地包含在signle signon url 中,我可以登录,但keycloak 无法识别发生了什么.
If I am including this parameters into the signle signon url correctly, I can login, but keycloak doesn't recognise what happened.
在我看来,配置为单点登录 url 的 URL 没有任何作用,而我在 Keycloak 中配置的身份提供程序也没有用.
As it seems to me the URL confgured as single signon url does nothing and the Identity Provider as I have configured it in Keycloak is useless.
谁能帮我提供一些建议,以加深我对 AD FS 和 keycloak 之间的交互以及它们如何协同工作的理解?
Can anyone help me with some pointers, to increase my understanding of the interaction between AD FS and keycloak and how they work together?
推荐答案
我最近参与了一个项目,我们将 KeyCloak 设置为 ADFS IdP 的 SP.
I recently worked on a project where we set up KeyCloak to act as an SP to ADFS IdP.
我们只有在设置以下设置后才能正确处理 SAML 请求:
We were only able to get the SAML requests to process correctly when the following settings were set:
IdP 网址:${IDP_URL}/adfs/ls/
NameID 策略格式:persistent
NameID Policy Format: persistent
WantAuthnRequestsSigned:true
WantAuthnRequestsSigned: true
WantAssertionsSigned:true
WantAssertionsSigned: true
签名算法:RSA_SHA256
SAMLSignatureKeyName:CERT_SUBJECT
SAMLSignatureKeyName: CERT_SUBJECT
除了更新 KeyCloak(作为 SP)内的 NameID 策略之外,我们还必须在 IdP 端进行自定义设置,以确保 NameID 以persistent 格式发回.
In addition to updating the NameID Policy within KeyCloak (as SP), we also had to have custom settings on the IdP side to ensure the NameID was sent back as format persistent.
这篇关于Keycloak AD FS 交互的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
