[keycloak-user] Is An IDP - Initiated SSO to Broker Possible?

Josh Cain jcain at redhat.com
Mon Nov 14 10:59:50 EST 2016 

Real-world use-case:

Folks are managing Red Hat VM's on Microsoft's Azure platform, and they
need to SSO over th Red Hat for support (Via support link on VM
management console).  Microsoft initiates the SSO to the Red Hat broker
from the Azure console.

https://azure.microsoft.com/en-in/blog/red-hat-customer-portal-from-azu
re/
On Mon, 2016-11-14 at 14:50 +0000, Chris Brandhorst wrote:
> Well, it seems we do :-)
> 
> In our case we have an existing desktop application with its own user
> management
> (IdP A) which posts signed SAML responses to our webapplication.
> 
> We would like to migrate to an IdP setup using KeyCloak, with our
> webapplication
> as a client of KeyCloak (IdP B). Since IdP A is a desktop
> application, only the IdP-
> initiated flow is viable.
> 
> 
> > 
> > On 14 Nov 2016, at 15:32, Bill Burke <bburke at redhat.com> wrote:
> > 
> > This is not a bug, its a feature request.  The IDP-SSO-Initiated
> > link is 
> > not set up to process SAML requests.  I didn't even think that
> > people 
> > would want to do a broker initiated sso.
> > 
> > 
> > On 11/14/16 9:23 AM, Josh Cain wrote:
> > > 
> > > @Chris - yep, exactly the same thing.  Thanks for pointing me to
> > > the
> > > right bug, I'll continue discussion there!
> > > On Mon, 2016-11-14 at 09:36 +0000, Chris Brandhorst wrote:
> > > > 
> > > > Let’s forget about FOOBAR. From my JIRA ticket, I’m trying an
> > > > IdP-
> > > > initiated SSO from IdP A to
> > > > IdP B (after which we can do all sorts of things with the
> > > > authenticators).
> > > > 
> > > > Stian called this a bug (set for 2.4.1.Final now), but it seems
> > > > you’re saying this is not supported?
> > > > This causes me some confusion, can you clarify?
> > > > 
> > > > Thanks,
> > > > Chris
> > > > 
> > > > > 
> > > > > On 13 Nov 2016, at 15:49, Bill Burke <bburke at redhat.com>
> > > > > wrote:
> > > > > 
> > > > > So, you have Application FOOBAR which is secured by IDP
> > > > > 'B'.  You
> > > > > want
> > > > > to register an IDP initiated SSO link on IDP 'A' that
> > > > > redirects to
> > > > > IDP
> > > > > 'B' that redirects to Application FOOBAR?  That's not
> > > > > something we
> > > > > support at the moment.
> > > > > 
> > > > > 
> > > > > 
> > > > > On 11/13/16 9:16 AM, Chris Brandhorst wrote:
> > > > > > 
> > > > > > Isn’t this like my question:
> > > > > > http://lists.jboss.org/pipermail/keycloak-user/2016-October
> > > > > > /00793
> > > > > > 5.html
> > > > > > 
> > > > > > and bug report:
> > > > > > https://issues.jboss.org/browse/KEYCLOAK-3731
> > > > > > 
> > > > > > If you're trying to do IDP-initiated SSO starting from the
> > > > > > external IDP,
> > > > > > that's not something we support.
> > > > > > It seems that that’s exactly what we are attempting. Why
> > > > > > shouldn’t that be
> > > > > > supported and what does that mean for my bug report (which
> > > > > > was
> > > > > > already
> > > > > > worked on)?
> > > > > > 
> > > > > > On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mai
> > > > > > lto:bb
> > > > > > urke at redhat.com>> wrote:
> > > > > > 
> > > > > > So, you:
> > > > > > 
> > > > > > 1. visit the IDP-initiated SSO URL on keycloak
> > > > > > 
> > > > > > 2. Select an external IDP to login from on the Keycloak
> > > > > > login
> > > > > > page
> > > > > > 
> > > > > > 3. Login to the external IDP
> > > > > > 
> > > > > > 4. Failure?
> > > > > > 
> > > > > > Sounds like a bug.
> > > > > > 
> > > > > > If you're trying to do IDP-initiated SSO starting from the
> > > > > > external IDP,
> > > > > > that's not something we support.
> > > > > > 
> > > > > > 
> > > > > > On 11/11/16 11:13 PM, Josh Cain wrote:
> > > > > > Hi all,
> > > > > > 
> > > > > > I'm attempting an IDP-initiated SSO (via unsolicited SAML
> > > > > > Request)
> > > > > > against the Keycloak broker service.  However, it's failing
> > > > > > every
> > > > > > time
> > > > > > on the IdentityBrokerService.authenticated(..) method.  I
> > > > > > get the
> > > > > > following error on the console:
> > > > > > 
> > > > > > 22:05:04,945 ERROR [org.keycloak.services] (default task-
> > > > > > 61)
> > > > > > staleCodeMessage
> > > > > > 
> > > > > > This method seems to think that clients should *always*
> > > > > > visit the
> > > > > > Keycloak IDP before returning with a SAML assertion, a the
> > > > > > failure to
> > > > > > retrieve an associated client session is causing a serious
> > > > > > issue.  I am
> > > > > > able to successfully use the identity brokering functions
> > > > > > if I
> > > > > > use an
> > > > > > SP-initiated flow, so I know the brokering piece is
> > > > > > configured
> > > > > > correctly.
> > > > > > 
> > > > > > Is this a limitation in the current implementation, or do I
> > > > > > have
> > > > > > something configured incorrectly?
> > > > > > 
> > > > > > 
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jb
> > > > > > oss.or
> > > > > > g>
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > 
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list