[keycloak-user] Is An IDP - Initiated SSO to Broker Possible?

Chris Brandhorst Chris.Brandhorst at topicus.nl
Mon Nov 14 04:36:34 EST 2016 

Let’s forget about FOOBAR. From my JIRA ticket, I’m trying an IdP-initiated SSO from IdP A to
IdP B (after which we can do all sorts of things with the authenticators).

Stian called this a bug (set for 2.4.1.Final now), but it seems you’re saying this is not supported?
This causes me some confusion, can you clarify?

Thanks,
Chris

> On 13 Nov 2016, at 15:49, Bill Burke <bburke at redhat.com> wrote:
> 
> So, you have Application FOOBAR which is secured by IDP 'B'.  You want 
> to register an IDP initiated SSO link on IDP 'A' that redirects to IDP 
> 'B' that redirects to Application FOOBAR?  That's not something we 
> support at the moment.
> 
> 
> 
> On 11/13/16 9:16 AM, Chris Brandhorst wrote:
>> Isn’t this like my question:
>> http://lists.jboss.org/pipermail/keycloak-user/2016-October/007935.html
>> 
>> and bug report:
>> https://issues.jboss.org/browse/KEYCLOAK-3731
>> 
>> If you're trying to do IDP-initiated SSO starting from the external IDP,
>> that's not something we support.
>> It seems that that’s exactly what we are attempting. Why shouldn’t that be
>> supported and what does that mean for my bug report (which was already
>> worked on)?
>> 
>> On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>> wrote:
>> 
>> So, you:
>> 
>> 1. visit the IDP-initiated SSO URL on keycloak
>> 
>> 2. Select an external IDP to login from on the Keycloak login page
>> 
>> 3. Login to the external IDP
>> 
>> 4. Failure?
>> 
>> Sounds like a bug.
>> 
>> If you're trying to do IDP-initiated SSO starting from the external IDP,
>> that's not something we support.
>> 
>> 
>> On 11/11/16 11:13 PM, Josh Cain wrote:
>> Hi all,
>> 
>> I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
>> against the Keycloak broker service.  However, it's failing every time
>> on the IdentityBrokerService.authenticated(..) method.  I get the
>> following error on the console:
>> 
>> 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
>> staleCodeMessage
>> 
>> This method seems to think that clients should *always* visit the
>> Keycloak IDP before returning with a SAML assertion, a the failure to
>> retrieve an associated client session is causing a serious issue.  I am
>> able to successfully use the identity brokering functions if I use an
>> SP-initiated flow, so I know the brokering piece is configured
>> correctly.
>> 
>> Is this a limitation in the current implementation, or do I have
>> something configured incorrectly?
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list