[keycloak-user] IDP Initiated Login

John D. Ament john.d.ament at gmail.com
Thu Feb 23 06:06:53 EST 2017 

Right, at this point I'm not thinking about OIDC any longer as my
connector.  Does what I described make sense as things to be done?

On Wed, Feb 22, 2017 at 11:23 PM Bill Burke <bburke at redhat.com> wrote:

> IDP Initiated SSO means that the login is unsolicited,meaning that the
> application did not initiate the login.  OAuth protocol (and thus OIDC)
> does not support this.  The application has to initiate the login.  I'm not
> sure exactly what you're trying to do, but if you just want a page where
> you can see a list of apps that you can visit, you can just create a simple
> static web page with links to your apps formatted and pretty as you want it.
>
> Some IDPs or apps, Saleforce.com I think, require SAML IDP Initiated SSO
> and don't support the regular login protocol.
>
> On 2/22/17 10:18 PM, John D. Ament wrote:
>
> Ok, I must have fat fingered there at the end.  Sorry.
>
> With that said, assuming that I want IDP initiated login, it seems like
> what I have to do is:
>
> - Create a SAML client in Keycloak for my application.
> - Follow the IDP initiated flow from
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
> - Point my IDP to the endpoint that gets generated in here.
>
> As a result, it seems like I don't have to even create a SAML IDP in
> Keycloak, unless that somehow gets used for SP initiated.
>
> John
>
> On Wed, Feb 22, 2017 at 10:15 PM John D. Ament <john.d.ament at gmail.com>
> wrote:
>
> This is the part that's confusing me.  What do you mean by a "URL
> somewhere that links to your app which will then redirect to keycloak"?
>
> Are you talking about triggering the inbound IDP initiated by first
> calling into my app?
>
> If I look at (Okta for instance) they actually have a portal-like site
> that users can leverage to directly link to their apps.  The links
> generated here are doing IDP initiated SSO, by triggering SAML in the
> broker then the broker is expected to forward to the client (and mind you,
> I know very little about SAML, but this is how I'm seeing it behave in the
> browser).
>
> With that said, assum
>
>
> On Wed, Feb 22, 2017 at 9:50 PM Bill Burke <bburke at redhat.com> wrote:
>
> OIDC/OAuth doesn't have an IDP initiated protocol.  You'll have to
> create a URL somewhere that links to your app which will then redirect
> to Keycloak.
>
>
> On 2/22/17 8:23 PM, John D. Ament wrote:
> > Looks like I answered half of my question -
> > https://issues.jboss.org/browse/KEYCLOAK-4454
> >
> > Seems like it will only work if I'm using SAML.
> >
> > John
> >
> > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament <john.d.ament at gmail.com>
> > wrote:
> >
> >> Changing the subject to be a bit clearer about the problems.
> >>
> >> I think I'm understanding a bit further.  when reading through
> >>
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
> >>
> >> - It seems like my application has to be SAML.  I cannot do an OIDC
> based
> >> solution.
> >> - First thing I have to do is add IDP Initiated SSO URL Name to my
> >> application.
> >> - The confusing part is about if my application requires... this seems a
> >> bit odd, since I'm using the Keycloak adapter but sure.
> >> - The part that's missing is what gets setup in the actual broker.  You
> >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs.
> In
> >> general these look like Keycloak specific parameters.
> >>
> >> Any thoughts?
> >>
> >> John
> >>
> >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament <john.d.ament at gmail.com>
> >> wrote:
> >>
> >> Ok, so I was able to get SP initiated working fine.  I had only tried
> IDP
> >> when I sent this mail out.
> >>
> >> I'm going through this doc, and its not clear to me on a few areas:
> >>
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
> >>
> >> - I have my application (the SP) and the SAML IDP (Okta in this case).
> I
> >> have a link on the okta portal to login automatically to my SP.
> >> - I think the webpage is saying that this only works if I'm using the
> SAML
> >> connector for keycloak, is that accurate?
> >> - All of my Okta settings are from getting SP initiated working.  Do any
> >> of those need to change?
> >> - Do I in fact setup Okta as a SAML client in Keycloak?
> >>
> >> John
> >>
> >>
> >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament <john.d.ament at gmail.com>
> >> wrote:
> >>
> >> Hi
> >>
> >> Just wondering, has anyone setup Keycloak w/ Okta?  Every time I try to
> >> authenticate (both SP initiated and IdP initiated) it fails with this
> error
> >>
> >> 01:40:54,626 WARN  [org.keycloak.events] (default task-7)
> >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null,
> >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage
> >> 01:40:54,627 ERROR
> [org.keycloak.services.resources.IdentityBrokerService]
> >> (default task-7) staleCodeMessage
> >>
> >> I suspect its a setup issue on my side, so was hoping someone else has
> >> tried this and can give tips.  I even tried the import feature, no luck.
> >>
> >> John
> >>
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

More information about the keycloak-user mailing list