AD FS as a service provider

You can easily integrate the Microsoft ADFS environment as a brokered identity provider in Keycloak. 

Make sure you have administrative access to both your Keycloak and ADFS environments. 

Procedure
STEP 1. CONFIGURE AD FS
  1. In the AD FS Management console, on the left pane, select the Claims Provider Trusts folder.

  2. On the right pane, select Add Claims Provider Trust to open Wizard.
  3. In Welcome, select Start.

     

  4. In Select Data Source, select the following options, as appropriate:
    1. Using metadata URL
    2. Using metadata XML
    3. Manual configuration
  5. To configure Claims Provider Trust manually, do the following:
    1. In the Specify Display Name, enter display name and notes.
    2. In Configure URL, enter a service provider URL.
    3. In Configure Identifier, enter claims provider trust identifier.
    4. In Configure Certificates, add the token-signing certificate from the Keycloak provider.
    5. Check the ready status and click Next.
    6. In Finish, select Open the Edit Claim Rules dialog…, and select Close.
    7. In the Edit Claim Rules for NoPass™ IDP dialog box, select Add Rule.
    8. In Select Rule Template, from the Claim rule template list, select Pass Through of Filter Incoming Claim, and then select Next.
    9. In the Configure Rule dialog box, in Choose Rule Type, configure the following parameters:
      1. Name ID
      2. Email
      3. UPN



  6. In the AD FS Management console, select the Claims Provider Trusts folder, and under Keycloak select Properties.

  7. In the NoPass IDP Properties, select Endpoints, and do the following:

    1. In Add and Endpoint, in the Endpoint type list, select SAML Single Sign-On. In the Binding list, select POST. In the Trusted URL field, enter your service provider URL.

    2. In Edit Endpoint, in the Endpoint type list, select SAML Logout. In Binding, select POST. In the Trusted URL, enter your service provider URL.

    3. Export the AD FS SAML metadata to XML.

      https://<adfs.domain.name>/FederationMetadata/2007-06/FederationMetadata.xml
    4. Import the AD FS SAML metadata to Keycloak.
STEP 2. CONFIGURE A NEW CLIENT IN KEYCLOAK
  1. In the Keycloak admin console, select the realm you want to use.
  2. In the left navigation bar, select Clients, and create a new SP application.
  3. Select the file that you have downloaded earlier and click Save.
  4. Configure the following parameters:
    Settings 
    Name Provide a name for this client

    Description (optional)

    Provide a description

    Enabled

    ON

    Consent Required

    OFF

    Client Protocol

    SAML

    Include AuthnStatement

    ON

    Sign Documents

    ON

    Optimize Redirect signing key lookup

    OFF

    Sign Assertions

    ON

    Signature Algorithm

    RSA_SHA256

    Saml Signature Key Name

    CERT_SUBJECT

    Encrypt Assertion

    OFF

    Client Signature Required

    OFF

    Canonicalization Method

    EXCLUSIVE

    Force Name ID Format

    ON

    Name ID Format

    Email

    Root URL

    Leave empty

    Valid Redirect URIs

    The Assertion Consumer Service URL from Service Provider Metadata

     


  5. Under Fine Grain SAML Endpoint Configuration, configure the following:

     Assertion Consumer Service POST Binding UR

    The ACS (Assertion Consumer Service) URL from Service Provider Metadata

    Logout Service Redirect Binding URL

    The Single Logout URL from Service Provider Metadata

 

 

STEP 3. TEST CONNECTION

To login to AD FS with SSO use the following URL:

https://<adfs01.domain.name>/adfs/ls/idpinitiatedsignon

A successful result looks as follows:

Now your AD FS is configured to work with Keycloak. 

 

next topic: Box

previous topic: Salesforce_old

Suggest edits