[keycloak-user] Questions around keycloak IdP initiated flow
Bhavana Motwani
bhavana at browserstack.com
Thu Dec 20 12:59:28 EST 2018
Hi all
We are using keycloak 4.5.0 for SP-initiated and IdP-initiated auth flows.
We are using Auth0 as the external IdP for test purposes.
We have managed the SP-initiated flow successfully. But we are facing
issues with IdP initiated flow. I was hoping you could help.
1. Will the external IdP need two separate clients to connect to our
keycloak instance, one for SP-initiated and other for IdP. PFA the metadata
we generated for SP-initiated flow. The SingleLogoutService.Location and
AssertionConsumerService.Location are '
https://shaktimaanhub.bsstag.com/auth/realms/browserstack/broker/oracle-stage/endpoint
'
But, for IdP initiated flow, we are having to replace the above with '
https://shaktimaanhub.bsstag.com/auth/realms/browserstack/broker/oracle-stage/endpoint/clients/{client-name}
'
This would result in 2 clients on the external IdP side.
Is there a way to avoid this?
2. With the IdP initiated flow, we are also facing issues with backchannel
logout. It gives a certificate issue. What certificate does keycloak
expect? The SP client's or the external IdP's?
Any help will be appreciated!
Thank you once again.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bs_oracle_shaktimaan.xml
Type: text/xml
Size: 2226 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181220/5e179a4c/attachment-0001.xml
More information about the keycloak-user
mailing list