[keycloak-user] IDP Initiated Login

John D. Ament john.d.ament at gmail.com
Wed Feb 22 22:15:49 EST 2017


This is the part that's confusing me.  What do you mean by a "URL somewhere
that links to your app which will then redirect to keycloak"?

Are you talking about triggering the inbound IDP initiated by first calling
into my app?

If I look at (Okta for instance) they actually have a portal-like site that
users can leverage to directly link to their apps.  The links generated
here are doing IDP initiated SSO, by triggering SAML in the broker then the
broker is expected to forward to the client (and mind you, I know very
little about SAML, but this is how I'm seeing it behave in the browser).

With that said, assuming that I'm going the SAML connector route, it seems
like what I have to do is:

- Create a SAML client for my application.
- Add the IDP initiated stuff to that client via
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
- Add that generated endpoint as the SAML endpoint in the IDP

John

On Wed, Feb 22, 2017 at 9:50 PM Bill Burke <bburke at redhat.com> wrote:

> OIDC/OAuth doesn't have an IDP initiated protocol.  You'll have to
> create a URL somewhere that links to your app which will then redirect
> to Keycloak.
>
>
> On 2/22/17 8:23 PM, John D. Ament wrote:
> > Looks like I answered half of my question -
> > https://issues.jboss.org/browse/KEYCLOAK-4454
> >
> > Seems like it will only work if I'm using SAML.
> >
> > John
> >
> > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament <john.d.ament at gmail.com>
> > wrote:
> >
> >> Changing the subject to be a bit clearer about the problems.
> >>
> >> I think I'm understanding a bit further.  when reading through
> >>
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
> >>
> >> - It seems like my application has to be SAML.  I cannot do an OIDC
> based
> >> solution.
> >> - First thing I have to do is add IDP Initiated SSO URL Name to my
> >> application.
> >> - The confusing part is about if my application requires... this seems a
> >> bit odd, since I'm using the Keycloak adapter but sure.
> >> - The part that's missing is what gets setup in the actual broker.  You
> >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs.
> In
> >> general these look like Keycloak specific parameters.
> >>
> >> Any thoughts?
> >>
> >> John
> >>
> >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament <john.d.ament at gmail.com>
> >> wrote:
> >>
> >> Ok, so I was able to get SP initiated working fine.  I had only tried
> IDP
> >> when I sent this mail out.
> >>
> >> I'm going through this doc, and its not clear to me on a few areas:
> >>
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
> >>
> >> - I have my application (the SP) and the SAML IDP (Okta in this case).
> I
> >> have a link on the okta portal to login automatically to my SP.
> >> - I think the webpage is saying that this only works if I'm using the
> SAML
> >> connector for keycloak, is that accurate?
> >> - All of my Okta settings are from getting SP initiated working.  Do any
> >> of those need to change?
> >> - Do I in fact setup Okta as a SAML client in Keycloak?
> >>
> >> John
> >>
> >>
> >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament <john.d.ament at gmail.com>
> >> wrote:
> >>
> >> Hi
> >>
> >> Just wondering, has anyone setup Keycloak w/ Okta?  Every time I try to
> >> authenticate (both SP initiated and IdP initiated) it fails with this
> error
> >>
> >> 01:40:54,626 WARN  [org.keycloak.events] (default task-7)
> >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null,
> >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage
> >> 01:40:54,627 ERROR
> [org.keycloak.services.resources.IdentityBrokerService]
> >> (default task-7) staleCodeMessage
> >>
> >> I suspect its a setup issue on my side, so was hoping someone else has
> >> tried this and can give tips.  I even tried the import feature, no luck.
> >>
> >> John
> >>
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list