[keycloak-user] IDP Initiated Login

John D. Ament john.d.ament at gmail.com
Thu Feb 23 21:14:01 EST 2017


After I sent this email, it dawned on me what #4 was.  I was able to get
IDP initiated working.  Here's what my setup looks like.  So I'm
interested, is this correct, is this too much?

- Create an IDP for Okta.

- App Client:
  - This represents the real application, receiving the final assertion.
  - Client Protocol: SAML
  - IDP Initiated SSO Name: some-value
  - Assertion Consumer Service POST Binding URL: http://myapp/saml (the
/saml comes from the wildfly SAML adapter)

Within Okta, I'm entering a URL like this:

http://mykeycloak/auth/realms/
<<realm>>/broker/<<alias>>/endpoint/clients/<<some-value>>

Where:

realm: your realm, e.g. tenant1 in my case
alias: the value of the "alias" field from your IDP
some-value: the IDP Initiated SSO Name value from above

After doing this, I'm able to confirm that the principal is coming from
Keycloak properly.  I'm assuming based on this, I can only do this via the
SAML adapter, not the OIDC connector.

John

On Thu, Feb 23, 2017 at 8:43 PM John D. Ament <john.d.ament at gmail.com>
wrote:

> Keycloak is delegating to Okta in my case.  I almost want to say ELI5, but
> I'm not sure I'm that far off.
>
> I still feel like there's a piece missing in my setup, based on what
> you're describing.
>
> 1. A user logs in to Okta.  They see an option for my app, which is in
> fact Keycloak.
> 2. User clicks said link, it does IDP initiated auth to Keycloak.
> 3. User now has a session in keycloak.
> 4. ??
> 5. The user is now in my app.
>
> The part that seems to be missing is 4.  How am I telling keycloak that
> when a user comes in this way, they should then come to my app?  Is that
> where I want to use "Assertion Consumer Service POST Binding URL" ?
>
> John
>
>
> On Thu, Feb 23, 2017 at 2:54 PM Bill Burke <bburke at redhat.com> wrote:
>
> Maybe I should explain brokering?
>
> If you want Keycloak to delegate authentication to a different IDP, then
> you need to set up an Identity Provider.  If you have a child IDP that is
> delegating authentication to Keycloak the you must set up a client within
> Keycloak.  This client represents the connection to the child IDP.  Does
> that shed any light on things?
>
> Is Keycloak delegating authentication to Okra?  Or is Okra delegating to
> Keycloak?
>
> Thanks,
>
> Bill
>
> On 2/23/17 12:54 PM, John D. Ament wrote:
>
> :-)
>
> Well it seems not needed.  Or we can worry about that later.
>
> - Is the client I'm setting up for my app a SAML client or OIDC client? Or
> does it not matter?
> - When I point Okta to my SAML IDP endpoint (
> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint
> <http://sso-poc.aws.stratas.net/auth/realms/tenant1/broker/okta/endpoint> )
> I'm getting " WE'RE SORRY ... This page is no longer valid, please go back
> to your application and login again"  - this kind of makes sense, I don't
> see how I'm telling the Okta IDP which app to forward to.
>
> John
>
> On Thu, Feb 23, 2017 at 12:45 PM Bill Burke <bburke at redhat.com> wrote:
>
> Hmmm....somebody removed this config option....wtf...
>
> On 2/23/17 12:11 PM, John D. Ament wrote:
>
> Bill,
>
> Thanks.  How do i set "Automatic Delegate"?
>
> John
>
> On Thu, Feb 23, 2017 at 10:53 AM Bill Burke <bburke at redhat.com> wrote:
>
> Yes, that would be an infinite loop as you are configuring Keycloak to
> delegate authentication to Okta and Okta to delegate to keycloak.  You'd
> have to:
>
> 1. Set up a client for your application in Keycloak
>
> 2. Set up a broker in Keycloak that points to Okta and sets that as the
> automatic delegate.  This means no keycloak login screen would be shown and
> it would delegate directly to Okta for authentication.
>
> 3. Log into Okta
>
> 4. Get to Okta app screen.
>
> 5. Click on app link
>
> 6. App redirects to Keycloak for authentication
>
> 7. Keycloak redirects automatically to Okta
>
> 8. Okta sees you are already logged in
>
> 9. Redirects back to Keycloak
>
> 10. Creates SAML assertion or OIDC token for client
>
> 11. Redirects back to app.
> On 2/23/17 10:10 AM, John D. Ament wrote:
>
> Effectively, yes.
>
> I just got *something* configured, though it resulted in an infinite loop.
>
> 1. Created a SAML client for my application, with the following custom
> settings:
> - Client ID: my-saml
> - IDP Initiated SSO URL Name: myapp-saml
> - Assertion Consumer Service POST Binding URL:
> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml
>
> 2. Created a SAML IDP for Okta:
> - SSO URL:
> https://myokta/app/oktaaccount_testkeycloak_1/exk9n6rr5eSDbwe4Y0h7/sso/saml
>
> 3. In Okta, set the SSO URL to
>
> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml
>
> This results in an infinite loop of URLs that look like:
>
> http://mykeycloak/auth/realms/tenant1/login-actions/required-action?code=someUUIDLikeValue
>
> - John
>
> On Thu, Feb 23, 2017 at 9:57 AM Bill Burke <bburke at redhat.com> wrote:
>
> I'm sorry, I only read the top half of the email thread.
>
> Is this what you want?
>
> 1. User logs into Okta
>
> 2. User clicks on app link in Okta
>
> 3. This app is actually secured by Keycloak, not Okta
>
> 4. You want some brokering done here between Keycloak and Okta.
>
> Is that it?
>
> On 2/23/17 6:06 AM, John D. Ament wrote:
>
> Right, at this point I'm not thinking about OIDC any longer as my
> connector.  Does what I described make sense as things to be done?
>
> On Wed, Feb 22, 2017 at 11:23 PM Bill Burke <bburke at redhat.com> wrote:
>
> IDP Initiated SSO means that the login is unsolicited,meaning that the
> application did not initiate the login.  OAuth protocol (and thus OIDC)
> does not support this.  The application has to initiate the login.  I'm not
> sure exactly what you're trying to do, but if you just want a page where
> you can see a list of apps that you can visit, you can just create a simple
> static web page with links to your apps formatted and pretty as you want it.
>
> Some IDPs or apps, Saleforce.com I think, require SAML IDP Initiated SSO
> and don't support the regular login protocol.
>
> On 2/22/17 10:18 PM, John D. Ament wrote:
>
> Ok, I must have fat fingered there at the end.  Sorry.
>
> With that said, assuming that I want IDP initiated login, it seems like
> what I have to do is:
>
> - Create a SAML client in Keycloak for my application.
> - Follow the IDP initiated flow from
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
> - Point my IDP to the endpoint that gets generated in here.
>
> As a result, it seems like I don't have to even create a SAML IDP in
> Keycloak, unless that somehow gets used for SP initiated.
>
> John
>
> On Wed, Feb 22, 2017 at 10:15 PM John D. Ament <john.d.ament at gmail.com>
> wrote:
>
> This is the part that's confusing me.  What do you mean by a "URL
> somewhere that links to your app which will then redirect to keycloak"?
>
> Are you talking about triggering the inbound IDP initiated by first
> calling into my app?
>
> If I look at (Okta for instance) they actually have a portal-like site
> that users can leverage to directly link to their apps.  The links
> generated here are doing IDP initiated SSO, by triggering SAML in the
> broker then the broker is expected to forward to the client (and mind you,
> I know very little about SAML, but this is how I'm seeing it behave in the
> browser).
>
> With that said, assum
>
>
> On Wed, Feb 22, 2017 at 9:50 PM Bill Burke <bburke at redhat.com> wrote:
>
> OIDC/OAuth doesn't have an IDP initiated protocol.  You'll have to
> create a URL somewhere that links to your app which will then redirect
> to Keycloak.
>
>
> On 2/22/17 8:23 PM, John D. Ament wrote:
> > Looks like I answered half of my question -
> > https://issues.jboss.org/browse/KEYCLOAK-4454
> >
> > Seems like it will only work if I'm using SAML.
> >
> > John
> >
> > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament <john.d.ament at gmail.com>
> > wrote:
> >
> >> Changing the subject to be a bit clearer about the problems.
> >>
> >> I think I'm understanding a bit further.  when reading through
> >>
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
> >>
> >> - It seems like my application has to be SAML.  I cannot do an OIDC
> based
> >> solution.
> >> - First thing I have to do is add IDP Initiated SSO URL Name to my
> >> application.
> >> - The confusing part is about if my application requires... this seems a
> >> bit odd, since I'm using the Keycloak adapter but sure.
> >> - The part that's missing is what gets setup in the actual broker.  You
> >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs.
> In
> >> general these look like Keycloak specific parameters.
> >>
> >> Any thoughts?
> >>
> >> John
> >>
> >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament <john.d.ament at gmail.com>
> >> wrote:
> >>
> >> Ok, so I was able to get SP initiated working fine.  I had only tried
> IDP
> >> when I sent this mail out.
> >>
> >> I'm going through this doc, and its not clear to me on a few areas:
> >>
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
> >>
> >> - I have my application (the SP) and the SAML IDP (Okta in this case).
> I
> >> have a link on the okta portal to login automatically to my SP.
> >> - I think the webpage is saying that this only works if I'm using the
> SAML
> >> connector for keycloak, is that accurate?
> >> - All of my Okta settings are from getting SP initiated working.  Do any
> >> of those need to change?
> >> - Do I in fact setup Okta as a SAML client in Keycloak?
> >>
> >> John
> >>
> >>
> >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament <john.d.ament at gmail.com>
> >> wrote:
> >>
> >> Hi
> >>
> >> Just wondering, has anyone setup Keycloak w/ Okta?  Every time I try to
> >> authenticate (both SP initiated and IdP initiated) it fails with this
> error
> >>
> >> 01:40:54,626 WARN  [org.keycloak.events] (default task-7)
> >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null,
> >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage
> >> 01:40:54,627 ERROR
> [org.keycloak.services.resources.IdentityBrokerService]
> >> (default task-7) staleCodeMessage
> >>
> >> I suspect its a setup issue on my side, so was hoping someone else has
> >> tried this and can give tips.  I even tried the import feature, no luck.
> >>
> >> John
> >>
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>


More information about the keycloak-user mailing list