[keycloak-user] IdP initiated SSO to Account page?

Stian Thorgersen sthorger at redhat.com
Tue Feb 7 04:04:44 EST 2017


The account page doesn't support SAML, only OIDC.

To achieve what you want we'd have to add idp_hint query param support to
the account page and make it include that to it's authentication request.
Would be pretty simply to do. You can create a JIRA feature request for it.
Even better if it came with a PR including tests.

On 6 February 2017 at 16:41, Mark Pardijs <mark.pardijs at topicus.nl> wrote:

> Hi,
>
> I want to give my users the possibility to edit their account settings
> from an federated IdP. Is there a way to do an IdP initiated SSO from a
> federated IdP which links directly to the account page at
> {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account?
>
> As far as I can see, I have to do the following steps:
>
>
>   1.  In the ‘master’ keycloak: add a new SAML client with URL
> {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account. (Since there’s no
> such thing as ‘OpenID Connect IdP initiated SSO as far as I can see)
>   2.  In the federated IdP: send a SAMLResponse to http://
> {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/broker/${
> fedIdP}/endpoint/clients/${CLIENT_ID}
>
> The login goes successfully, but after login I see a 403 "Failed executing
> POST /realms/master/account” error, since the account page doesn’t accept
> POST requests. If I refresh the browser window which is pointing at the
> account page all is well, since this last request is a GET request. (See
> http://lists.jboss.org/pipermail/keycloak-user/2014-October/000989.html
> for the same question about POST/GET)
>
> I could make a third client with as only function showing a link to the
> account page but don’t know if this is the right way to go.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list