none
Configuring claims for keycloak idp in ADFS RRS feed

  • Question

  • We have configured a claims provider trust for key cloak to allow our internal SAML application hosted on Liferay in ADFS 2.0, but whatever claims we configure none of them works and the login stops coming on ADFS page giving an authentication error has occured. Below is the claims coming from the SAML response from Keycloak to ADFS:


    We have added below claim rules in ADFS 2.0:

    @RuleTemplate = "PassThroughClaims"
    @RuleName = "PT PU"
    c:[Type == "http://adfs.nes/custom/preferred_username"]
     => issue(claim = c);

    @RuleTemplate = "PassThroughClaims"
    @RuleName = "PT NIN"
    c:[Type == "http://adfs.nes/custom/id_number"]
     => issue(claim = c);

    @RuleTemplate = "PassThroughClaims"
    @RuleName = "PT X500GivenName"
    c:[Type == "X500 givenName"]
     => issue(claim = c);

    @RuleTemplate = "PassThroughClaims"
    @RuleName = "PT X500Surname"
    c:[Type == "X500 surname"]
     => issue(claim = c);

    @RuleTemplate = "PassThroughClaims"
    @RuleName = "PT X500email"
    c:[Type == "http://adfs.nes/custom/email"]
     => issue(claim = c);


    We have below incoming saml response

     Below is the response we recieve from keycloak and we want to authenticate based on id_number or the nameid

     <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">1111111113</saml:NameID>

    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="id-c4cd3bda-5db6-4a4e-9994-fce6a02db6d4" NotOnOrAfter="2019-07-11T13:48:47.014Z" Recipient="https://adfs.tau.nes/adfs/ls/"/></saml:SubjectConfirmation></saml:Subject>

    <saml:Conditions NotBefore="2019-07-11T08:48:47.014Z" NotOnOrAfter="2019-07-11T08:49:47.014Z">

    <saml:AudienceRestriction><saml:Audience>http://adfs.tau.nes/adfs/services/trust</saml:Audience></saml:AudienceRestriction></saml:Conditions>

    <saml:AuthnStatement AuthnInstant="2019-07-11T08:48:49.014Z" SessionIndex="289af221-693b-48fb-b36b-af848b9a5cb3::c030cc9a-44cc-4212-9f89-b6c7cc283406"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>

    <saml:AttributeStatement><saml:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Test</saml:AttributeValue></saml:Attribute>

    <saml:Attribute FriendlyName="ID number" Name="id_number" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1111111113</saml:AttributeValue></saml:Attribute>

    <saml:Attribute FriendlyName="ID number" Name="id_number" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1111111113</saml:AttributeValue></saml:Attribute>

    <saml:Attribute FriendlyName="surname" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AlHassan</saml:AttributeValue></saml:Attribute>

    <saml:Attribute FriendlyName="email" Name="urn:oid:1.2.840.113549.1.9.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1111111113@tamkeen.land</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>


    Also below we have added in some different manner also

    @RuleTemplate = "PassThroughClaims"
    @RuleName = "PT NIN"
    c:[Type == "http://adfs.nes/custom/id_number"]
     => issue(claim = c);

    @RuleTemplate = "PassThroughClaims"
    @RuleName = "PT X500email"
    c:[Type == "http://adfs.nes/custom/email"]
     => issue(claim = c);

    @RuleTemplate = "MapClaims"
    @RuleName = "idnumber --> NameID"
    c:[Type == "http://adfs.nes/custom/id_number"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"); */

    @RuleTemplate = "MapClaims"
    @RuleName = "IDNumber to Name"
    c:[Type == "http://adfs.nes/custom/id_number"]
     => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

    @RuleTemplate = "PassThroughClaims"
    @RuleName = "PTGivenName"
    c:[Type == "http://adfs.nes/custom/givenName"]
     => issue(claim = c);

    @RuleTemplate = "PassThroughClaims"
    @RuleName = "PTsurname"
    c:[Type == "http://adfs.nes/custom/surname"]
     => issue(claim = c);

    Actual result is it should pass the application from adfs to Liferay application but request stucks on ADFS as "An authentication error has occured"
    Sunday, July 14, 2019 5:53 PM

Answers

  • Dear,

    Thanks V Much for your reply, i was successfully able to resolve the issue using blog KEYCLOAK-4057


    We had enabled debug logging for ADFS-Tracing and found the below event ID 47, after reseaching we found that KeyCloak was sending KeyName in SAML response as <dsig:KeyName>UFe9jy_kwfXMD_b7o1OrBb3CahRB_5NpJZXBO0TkVdg</dsig:KeyName> -- while ADFS was expecting the subject name for the certificate in key name, so we just asked the Keycloak administrator to remove the Keyname attribute in response and the login started working fine.

    Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolException: MSIS1022: Cannot process SAML Response from ''.
    Inner exception: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
        (
        IsReadOnly = False,
        Count = 1,
        Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
        )
    '. Ensure that the SecurityTokenResolver is populated with the required key.
       at Microsoft.IdentityServer.Service.Tokens.SamlMessageSecurityTokenHandler.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.CreateSubject(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
       at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.GetEffectivePrincipal(SecurityTokenElement securityTokenElement)
       at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
       at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

    Regards,

    Amjad


    • Marked as answer by MS_Learner_21 Tuesday, July 16, 2019 5:27 PM
    Tuesday, July 16, 2019 5:26 PM

All replies

  • What error does it show in the event log?

    I don't see a claim for NameID?

    Try a Transform rule from email or whatever to NameID and make the format "unspecified".

    Monday, July 15, 2019 6:43 PM
    Moderator
  • Dear,

    Thanks V Much for your reply, i was successfully able to resolve the issue using blog KEYCLOAK-4057


    We had enabled debug logging for ADFS-Tracing and found the below event ID 47, after reseaching we found that KeyCloak was sending KeyName in SAML response as <dsig:KeyName>UFe9jy_kwfXMD_b7o1OrBb3CahRB_5NpJZXBO0TkVdg</dsig:KeyName> -- while ADFS was expecting the subject name for the certificate in key name, so we just asked the Keycloak administrator to remove the Keyname attribute in response and the login started working fine.

    Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolException: MSIS1022: Cannot process SAML Response from ''.
    Inner exception: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
        (
        IsReadOnly = False,
        Count = 1,
        Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
        )
    '. Ensure that the SecurityTokenResolver is populated with the required key.
       at Microsoft.IdentityServer.Service.Tokens.SamlMessageSecurityTokenHandler.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.CreateSubject(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
       at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.GetEffectivePrincipal(SecurityTokenElement securityTokenElement)
       at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
       at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

    Regards,

    Amjad


    • Marked as answer by MS_Learner_21 Tuesday, July 16, 2019 5:27 PM
    Tuesday, July 16, 2019 5:26 PM