- Two server hosts:
- Microsoft Windows Server 2012 with Active Directory Federation Services (AD FS) installed. The AD domain will be named DOMAIN.NAME in this post.
- Keycloak server. This can be generally placed anywhere but here it is expected to be running on separate host
- DNS setup:
- The Windows host name will be fs.domain.name in this post
- The Keycloak host name will be kc.domain.name in this post
Setup Keycloak Server
- Setup keycloak for incoming HTTPS connections - steps are provided in Server Installation guide.
- Export AD FS certificate into a Java truststore to enable outgoing HTTPS connections:
- In the AD FS management console, go to Service → Certificates node in the tree and export the Service communications certificate.
- Import the certificate into a Java truststore (JKS format) using Java keytool utility.
- Setup the truststore in Keycloak as described in Server Installation guide.
Setup Identity Provider in Keycloak
Setup Basic Properties of Brokered Identity Provider
- Mapper named Group: managers will be of type SAML Attribute to Role, and will map attribute named http://schemas.xmlsoap.org/claims/Group, if that has attribute value managers, to role manager.
- Mapper named Attribute: email will be of type Attribute Importer, and will map attribute named http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress into user attribute named email.
Obtain information for the AD FS configuration
Setup Relying Party Trust in AD FS
Setup Relying Party
Setup Claim Mapping
Q: While using AD FS in Windows 2016, the following error appeared in Keycloak log after importing the descriptor from URL: RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: https://kc.domain.name/auth/realms/master/broker/adfs-idp-alias/endpoint/descriptor/FederationMetadata/2007-06/FederationMetadata.xml. Does it cause any harm?
A: It is harmless. It seems that Windows 2016 version first checks for AD FS-like descriptor URL by adding FederationMetadata/2007-06/FederationMetadata.xml to the entered URL. Such resource does not exist in Keycloak, so it reports error. AD FS however seems to import using the entered URL when this happens. Please see also the original email discussion on this issue.