[keycloak-user] Identity broker login SAMLResponse handling
Phillip Fleischer
pcfleischer at outlook.com
Sat Jul 29 05:03:17 EDT 2017
Hi,
We’re using keycloak for several authorization use cases already and are attempting to prototype some identity brokering with an external IdP application.
Our current configuration the user is logged in the external IdP which sends a POST with the SAMLResponse directly to our broker. It looks the appropriate solution is idp initiated configuration in the examples.
broker: external-idp-name
client and url name: saml-idp-initiated
https://{root}/auth/realms/{realm}/broker/external-idp-name/endpoint/clients/saml-idp-initiated
The challenge is that our client the posts yet another SAMLResponse either back to our broker or to the realm saml service.
These result in following results...
1 - {realmUrl}/broker/external-idp-name/endpoint/clients/saml-idp-initiated
|—- infinite redirect loop POST SAMLResponses
2 - {realmUrl}/broker/{broker}/endpoint
|—- handleSamlResponse fails to validate “code” set to “relayState”.
3 - {realmUrl}/protocol/saml
|—- handles SAMLResponses as logout and fails.
It feels like we’re either totally missing the mark or this is a use case totally
not supported that we’re attempting to kluge together. Anyone have thoughts where we’re going conceptually wrong??
— Phil
More information about the keycloak-user
mailing list