[keycloak-user] IDP Initiated Login

John D. Ament john.d.ament at gmail.com
Mon Feb 27 07:20:13 EST 2017


On Fri, Feb 24, 2017 at 9:09 AM Bill Burke <bburke at redhat.com> wrote:

>
>
> On 2/23/17 9:14 PM, John D. Ament wrote:
> > After I sent this email, it dawned on me what #4 was.  I was able to
> > get IDP initiated working.  Here's what my setup looks like.  So I'm
> > interested, is this correct, is this too much?
> >
> > - Create an IDP for Okta.
> >
> > - App Client:
> >   - This represents the real application, receiving the final assertion.
> >   - Client Protocol: SAML
> >   - IDP Initiated SSO Name: some-value
> >   - Assertion Consumer Service POST Binding URL:
> > http://myapp/saml (the /saml comes from the wildfly SAML adapter)
> >
> > Within Okta, I'm entering a URL like this:
> >
> > http://mykeycloak/auth/realms/
> <<realm>>/broker/<<alias>>/endpoint/clients/<<some-value>>
> >
> > Where:
> >
> > realm: your realm, e.g. tenant1 in my case
> > alias: the value of the "alias" field from your IDP
> > some-value: the IDP Initiated SSO Name value from above
> >
> > After doing this, I'm able to confirm that the principal is coming
> > from Keycloak properly.  I'm assuming based on this, I can only do
> > this via the SAML adapter, not the OIDC connector.
> >
> Correct, no OIDC.  Reason?  Its the OAuth protocol.  OAuth only allows
> the client to initiate authentication.
>
>
I ended up raising a feature request.  I feel like there should be a way to
do this in keycloak, even if it involves tricking the client into believing
they initiated the request.  Is there a way to deploy both the OIDC and
SAML connectors?  I'd like to leverage the client side adapters
(javascript) but still support SAML.

Anyways, once the license file is in place on the doc repo, I plan to raise
a PR to clean up this guide.


> Bill
>


More information about the keycloak-user mailing list