3:06 a.m.
Hi Keycloak team,
I'm working on a system which uses Keycloak as a broker to both OIDC and
SAML2.0 IdPs. We are using `kc_idp_hint` for every request and Keycloak is
never exposed to the user. The system uses OIDC to connect to Keycloak.
We would like to pass a `login_hint` or `subject` upstream to IdPs
(depending if it's OIDC or SAML) as we expect to know the user's IdP user
name, but this does not work out of the box. I can't see anything in the
documentation that would enable it.
Is it possible? If so how?
Many thanks for any help or pointers you can give.
Peter Chamberlin
9:21 p.m.
It doesn't seem it is possible ATM. The possibility is, that you create
your own implementation of identityProvider and you override method :
createAuthorizationUrl(AuthenticationRequest request)
The parameters of the original request, which was sent from your application to Keycloak,
are available from the clientSession notes (which itself is available on the
AuthenticationRequest).
Marek
On 07/12/16 19:06, Peter Chamberlin wrote:
Hi Keycloak team,
I'm working on a system which uses Keycloak as a broker to both OIDC and
SAML2.0 IdPs. We are using `kc_idp_hint` for every request and Keycloak is
never exposed to the user. The system uses OIDC to connect to Keycloak.
We would like to pass a `login_hint` or `subject` upstream to IdPs
(depending if it's OIDC or SAML) as we expect to know the user's IdP user
name, but this does not work out of the box. I can't see anything in the
documentation that would enable it.
Is it possible? If so how?
Many thanks for any help or pointers you can give.
Peter Chamberlin
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
11:37 p.m.
Hi Marek,
Thank you for your response. That's kind of what we thought.
Would this be something that might be accepted into the core of Keycloak if
we developed it as a configurable option?
All the best,
Peter
On 8 December 2016 at 12:21, Marek Posolda <mposolda(a)redhat.com> wrote:
It doesn't seem it is possible ATM. The possibility is, that you
create
your own implementation of identityProvider and you override method :
createAuthorizationUrl(AuthenticationRequest request)
The parameters of the original request, which was sent from your application to Keycloak,
are available from the clientSession notes (which itself is available on the
AuthenticationRequest).
Marek
On 07/12/16 19:06, Peter Chamberlin wrote:
Hi Keycloak team,
I'm working on a system which uses Keycloak as a broker to both OIDC and
SAML2.0 IdPs. We are using `kc_idp_hint` for every request and Keycloak is
never exposed to the user. The system uses OIDC to connect to Keycloak.
We would like to pass a `login_hint` or `subject` upstream to IdPs
(depending if it's OIDC or SAML) as we expect to know the user's IdP user
name, but this does not work out of the box. I can't see anything in the
documentation that would enable it.
Is it possible? If so how?
Many thanks for any help or pointers you can give.
Peter Chamberlin
_______________________________________________
keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
10:28 p.m.
If you use login_hint + add an option to an IdP "pass login_hint", and also
remember to write some tests for it, we'd gladly accept it.
On 8 December 2016 at 15:37, Peter Chamberlin <
peter.chamberlin(a)digital.cabinet-office.gov.uk> wrote:
Hi Marek,
Thank you for your response. That's kind of what we thought.
Would this be something that might be accepted into the core of Keycloak if
we developed it as a configurable option?
All the best,
Peter
On 8 December 2016 at 12:21, Marek Posolda <mposolda(a)redhat.com> wrote:
> It doesn't seem it is possible ATM. The possibility is, that you create
> your own implementation of identityProvider and you override method :
>
> createAuthorizationUrl(AuthenticationRequest request)
>
> The parameters of the original request, which was sent from your
application to Keycloak, are available from the clientSession notes (which
itself is available on the AuthenticationRequest).
>
> Marek
>
>
> On 07/12/16 19:06, Peter Chamberlin wrote:
>
> Hi Keycloak team,
>
> I'm working on a system which uses Keycloak as a broker to both OIDC and
> SAML2.0 IdPs. We are using `kc_idp_hint` for every request and Keycloak
is
> never exposed to the user. The system uses OIDC to connect to Keycloak.
>
> We would like to pass a `login_hint` or `subject` upstream to IdPs
> (depending if it's OIDC or SAML) as we expect to know the user's IdP user
> name, but this does not work out of the box. I can't see anything in the
> documentation that would enable it.
>
> Is it possible? If so how?
>
> Many thanks for any help or pointers you can give.
>
> Peter Chamberlin
> _______________________________________________
> keycloak-dev mailing listkeycloak-dev@lists.jboss.orghttps://
lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2703
days inactive
2708
days old
3 comments
3 participants
participants (3)
-
Marek Posolda -
Peter Chamberlin -
Stian Thorgersen