[keycloak-user] IdP initiated SSO with Keycloak

Hynek Mlnarik hmlnarik at redhat.com
Fri Mar 24 03:50:30 EDT 2017 

Are you using IdP-initiated login for brokered IdPs? [1] The URL for
IdP-initiated login should be this:
broker-root/auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id}

[1] https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html

--Hynek

On Fri, Mar 24, 2017 at 1:49 AM, Michael Anthon
<michael.anthon at infoview.com.au> wrote:
> We are attempting to implement IdP initiated SSO, similar to what is outlined in this blog... https://blog.auth360.net/2012/12/16/saml-2-0-idp-initiated-sign-on-with-relaystate-in-adfs-2-0/
>
> The main difference is that our SP is using openid to authenticate with Keycloak.
>
> So the configuration is like this...
>
> ADFS(fs.example.com) <---SAML---> Keycloak(kc.example.com) <---openid--->SP(app.example.com)
>
> The SP is set up as a client in a Realm in Keycloak and the ADFS is set up as an identity provider.
>
> In ADFS, Keycloak is set up as a Relying Party.
>
> The intent here is that we can provide the end user with a URL that they can access that will send them to their ADFS portal to login (if required) and have them end up in the application without them having to do anything in Keycloak.
>
> The URL according to the article will be something like
> https://fs.example.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F%252Fkc.example.com%252Fauth%252Frealms%252Frealmid%26RelayState%3Dhttps%253A%252F%252Fapp.example.com%252F
>
> I have been able to set up a standard IdP login via these servers however the situation is that we will have multiple clients accessing the system and we are not allowed to expose who our clients are so we will need to edit the login templates and remove the IdP buttons which is why I'm looking for and IdP initiated solution.
>
> Currently when I attempt this I don't end up in the right place in Keycloak but instead end up at https://kc.example.com/auth/realms/realmid/broker/infoview/endpoint
>
> I'm wondering if anyone has done this and has any pointers on configuring this correctly (or indeed if I'm barking up the wrong tree and it's not possible)
>
> Thanks,
> Michael
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

More information about the keycloak-user mailing list