[keycloak-user] IDP Initiated Login

Bill Burke bburke at redhat.com
Fri Feb 24 09:09:38 EST 2017



On 2/23/17 9:14 PM, John D. Ament wrote:
> After I sent this email, it dawned on me what #4 was.  I was able to 
> get IDP initiated working.  Here's what my setup looks like.  So I'm 
> interested, is this correct, is this too much?
>
> - Create an IDP for Okta.
>
> - App Client:
>   - This represents the real application, receiving the final assertion.
>   - Client Protocol: SAML
>   - IDP Initiated SSO Name: some-value
>   - Assertion Consumer Service POST Binding URL: 
> http://myapp/saml (the /saml comes from the wildfly SAML adapter)
>
> Within Okta, I'm entering a URL like this:
>
> http://mykeycloak/auth/realms/<<realm>>/broker/<<alias>>/endpoint/clients/<<some-value>>
>
> Where:
>
> realm: your realm, e.g. tenant1 in my case
> alias: the value of the "alias" field from your IDP
> some-value: the IDP Initiated SSO Name value from above
>
> After doing this, I'm able to confirm that the principal is coming 
> from Keycloak properly.  I'm assuming based on this, I can only do 
> this via the SAML adapter, not the OIDC connector.
>
Correct, no OIDC.  Reason?  Its the OAuth protocol.  OAuth only allows 
the client to initiate authentication.

Bill


More information about the keycloak-user mailing list