[keycloak-user] IDP Initiated Login

Thu Feb 23 12:54:37 EST 2017

:-)

Well it seems not needed.  Or we can worry about that later.

- Is the client I'm setting up for my app a SAML client or OIDC client? Or
does it not matter?
- When I point Okta to my SAML IDP endpoint (
http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint
<http://sso-poc.aws.stratas.net/auth/realms/tenant1/broker/okta/endpoint> )
I'm getting " WE'RE SORRY ... This page is no longer valid, please go back
to your application and login again"  - this kind of makes sense, I don't
see how I'm telling the Okta IDP which app to forward to.

John

On Thu, Feb 23, 2017 at 12:45 PM Bill Burke <bburke at redhat.com> wrote:

> Hmmm....somebody removed this config option....wtf...
>
> On 2/23/17 12:11 PM, John D. Ament wrote:
>
> Bill,
>
> Thanks.  How do i set "Automatic Delegate"?
>
> John
>
> On Thu, Feb 23, 2017 at 10:53 AM Bill Burke <bburke at redhat.com> wrote:
>
> Yes, that would be an infinite loop as you are configuring Keycloak to
> delegate authentication to Okta and Okta to delegate to keycloak.  You'd
> have to:
>
> 1. Set up a client for your application in Keycloak
>
> 2. Set up a broker in Keycloak that points to Okta and sets that as the
> automatic delegate.  This means no keycloak login screen would be shown and
> it would delegate directly to Okta for authentication.
>
> 3. Log into Okta
>
> 4. Get to Okta app screen.
>
> 5. Click on app link
>
> 6. App redirects to Keycloak for authentication
>
> 7. Keycloak redirects automatically to Okta
>
> 8. Okta sees you are already logged in
>
> 9. Redirects back to Keycloak
>
> 10. Creates SAML assertion or OIDC token for client
>
> 11. Redirects back to app.
> On 2/23/17 10:10 AM, John D. Ament wrote:
>
> Effectively, yes.
>
> I just got *something* configured, though it resulted in an infinite loop.
>
> 1. Created a SAML client for my application, with the following custom
> settings:
> - Client ID: my-saml
> - IDP Initiated SSO URL Name: myapp-saml
> - Assertion Consumer Service POST Binding URL:
> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml
>
> 2. Created a SAML IDP for Okta:
> - SSO URL:
> https://myokta/app/oktaaccount_testkeycloak_1/exk9n6rr5eSDbwe4Y0h7/sso/saml
>
> 3. In Okta, set the SSO URL to
>
> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml
>
> This results in an infinite loop of URLs that look like:
>
> http://mykeycloak/auth/realms/tenant1/login-actions/required-action?code=someUUIDLikeValue
>
> - John
>
> On Thu, Feb 23, 2017 at 9:57 AM Bill Burke <bburke at redhat.com> wrote:
>
> I'm sorry, I only read the top half of the email thread.
>
> Is this what you want?
>
> 1. User logs into Okta
>
> 2. User clicks on app link in Okta
>
> 3. This app is actually secured by Keycloak, not Okta
>
> 4. You want some brokering done here between Keycloak and Okta.
>
> Is that it?
>
> On 2/23/17 6:06 AM, John D. Ament wrote:
>
> Right, at this point I'm not thinking about OIDC any longer as my
> connector.  Does what I described make sense as things to be done?
>
> On Wed, Feb 22, 2017 at 11:23 PM Bill Burke <bburke at redhat.com> wrote:
>
> IDP Initiated SSO means that the login is unsolicited,meaning that the
> application did not initiate the login.  OAuth protocol (and thus OIDC)
> does not support this.  The application has to initiate the login.  I'm not
> sure exactly what you're trying to do, but if you just want a page where
> you can see a list of apps that you can visit, you can just create a simple
> static web page with links to your apps formatted and pretty as you want it.
>
> Some IDPs or apps, Saleforce.com I think, require SAML IDP Initiated SSO
> and don't support the regular login protocol.
>
> On 2/22/17 10:18 PM, John D. Ament wrote:
>
> Ok, I must have fat fingered there at the end.  Sorry.
>
> With that said, assuming that I want IDP initiated login, it seems like
> what I have to do is:
>
> - Create a SAML client in Keycloak for my application.
> - Follow the IDP initiated flow from
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
> - Point my IDP to the endpoint that gets generated in here.
>
> As a result, it seems like I don't have to even create a SAML IDP in
> Keycloak, unless that somehow gets used for SP initiated.
>
> John
>
> On Wed, Feb 22, 2017 at 10:15 PM John D. Ament <john.d.ament at gmail.com>
> wrote:
>
> This is the part that's confusing me.  What do you mean by a "URL
> somewhere that links to your app which will then redirect to keycloak"?
>
> Are you talking about triggering the inbound IDP initiated by first
> calling into my app?
>
> If I look at (Okta for instance) they actually have a portal-like site
> that users can leverage to directly link to their apps.  The links
> generated here are doing IDP initiated SSO, by triggering SAML in the
> broker then the broker is expected to forward to the client (and mind you,
> I know very little about SAML, but this is how I'm seeing it behave in the
> browser).
>
> With that said, assum
>
>
> On Wed, Feb 22, 2017 at 9:50 PM Bill Burke <bburke at redhat.com> wrote:
>
> OIDC/OAuth doesn't have an IDP initiated protocol.  You'll have to
> create a URL somewhere that links to your app which will then redirect
> to Keycloak.
>
>
> On 2/22/17 8:23 PM, John D. Ament wrote:
> > Looks like I answered half of my question -
> > https://issues.jboss.org/browse/KEYCLOAK-4454
> >
> > Seems like it will only work if I'm using SAML.
> >
> > John
> >
> > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament <john.d.ament at gmail.com>
> > wrote:
> >
> >> Changing the subject to be a bit clearer about the problems.
> >>
> >> I think I'm understanding a bit further.  when reading through
> >>
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
> >>
> >> - It seems like my application has to be SAML.  I cannot do an OIDC
> based
> >> solution.
> >> - First thing I have to do is add IDP Initiated SSO URL Name to my
> >> application.
> >> - The confusing part is about if my application requires... this seems a
> >> bit odd, since I'm using the Keycloak adapter but sure.
> >> - The part that's missing is what gets setup in the actual broker.  You
> >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs.
> In
> >> general these look like Keycloak specific parameters.
> >>
> >> Any thoughts?
> >>
> >> John
> >>
> >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament <john.d.ament at gmail.com>
> >> wrote:
> >>
> >> Ok, so I was able to get SP initiated working fine.  I had only tried
> IDP
> >> when I sent this mail out.
> >>
> >> I'm going through this doc, and its not clear to me on a few areas:
> >>
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
> >>
> >> - I have my application (the SP) and the SAML IDP (Okta in this case).
> I
> >> have a link on the okta portal to login automatically to my SP.
> >> - I think the webpage is saying that this only works if I'm using the
> SAML
> >> connector for keycloak, is that accurate?
> >> - All of my Okta settings are from getting SP initiated working.  Do any
> >> of those need to change?
> >> - Do I in fact setup Okta as a SAML client in Keycloak?
> >>
> >> John
> >>
> >>
> >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament <john.d.ament at gmail.com>
> >> wrote:
> >>
> >> Hi
> >>
> >> Just wondering, has anyone setup Keycloak w/ Okta?  Every time I try to
> >> authenticate (both SP initiated and IdP initiated) it fails with this
> error
> >>
> >> 01:40:54,626 WARN  [org.keycloak.events] (default task-7)
> >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null,
> >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage
> >> 01:40:54,627 ERROR
> [org.keycloak.services.resources.IdentityBrokerService]
> >> (default task-7) staleCodeMessage
> >>
> >> I suspect its a setup issue on my side, so was hoping someone else has
> >> tried this and can give tips.  I even tried the import feature, no luck.
> >>
> >> John
> >>
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>