[keycloak-user] Is An IDP - Initiated SSO to Broker Possible?
Bill Burke
bburke at redhat.com
Sun Nov 13 09:06:06 EST 2016
So, you:
1. visit the IDP-initiated SSO URL on keycloak
2. Select an external IDP to login from on the Keycloak login page
3. Login to the external IDP
4. Failure?
Sounds like a bug.
If you're trying to do IDP-initiated SSO starting from the external IDP,
that's not something we support.
On 11/11/16 11:13 PM, Josh Cain wrote:
> Hi all,
>
> I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
> against the Keycloak broker service. However, it's failing every time
> on the IdentityBrokerService.authenticated(..) method. I get the
> following error on the console:
>
> 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
> staleCodeMessage
>
> This method seems to think that clients should *always* visit the
> Keycloak IDP before returning with a SAML assertion, a the failure to
> retrieve an associated client session is causing a serious issue. I am
> able to successfully use the identity brokering functions if I use an
> SP-initiated flow, so I know the brokering piece is configured
> correctly.
>
> Is this a limitation in the current implementation, or do I have
> something configured incorrectly?
>
More information about the keycloak-user
mailing list