10:23 p.m.
IDP Initiated SSO means that the login is unsolicited,meaning that the
application did not initiate the login. OAuth protocol (and thus OIDC)
does not support this. The application has to initiate the login. I'm
not sure exactly what you're trying to do, but if you just want a page
where you can see a list of apps that you can visit, you can just create
a simple static web page with links to your apps formatted and pretty as
you want it.
Some IDPs or apps, Saleforce.com I think, require SAML IDP Initiated SSO
and don't support the regular login protocol.
On 2/22/17 10:18 PM, John D. Ament wrote:
Ok, I must have fat fingered there at the end. Sorry.
With that said, assuming that I want IDP initiated login, it seems
like what I have to do is:
- Create a SAML client in Keycloak for my application.
- Follow the IDP initiated flow from
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl...
- Point my IDP to the endpoint that gets generated in here.
As a result, it seems like I don't have to even create a SAML IDP in
Keycloak, unless that somehow gets used for SP initiated.
John
On Wed, Feb 22, 2017 at 10:15 PM John D. Ament <john.d.ament(a)gmail.com
<mailto:john.d.ament@gmail.com>> wrote:
This is the part that's confusing me. What do you mean by a "URL
somewhere that links to your app which will then redirect to
keycloak"?
Are you talking about triggering the inbound IDP initiated by
first calling into my app?
If I look at (Okta for instance) they actually have a portal-like
site that users can leverage to directly link to their apps. The
links generated here are doing IDP initiated SSO, by triggering
SAML in the broker then the broker is expected to forward to the
client (and mind you, I know very little about SAML, but this is
how I'm seeing it behave in the browser).
With that said, assum
On Wed, Feb 22, 2017 at 9:50 PM Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
OIDC/OAuth doesn't have an IDP initiated protocol. You'll have to
create a URL somewhere that links to your app which will then
redirect
to Keycloak.
On 2/22/17 8:23 PM, John D. Ament wrote:
> Looks like I answered half of my question -
> https://issues.jboss.org/browse/KEYCLOAK-4454
>
> Seems like it will only work if I'm using SAML.
>
> John
>
> On Wed, Feb 22, 2017 at 5:18 PM John D. Ament
<john.d.ament(a)gmail.com <mailto:john.d.ament@gmail.com>>
> wrote:
>
>> Changing the subject to be a bit clearer about the problems.
>>
>> I think I'm understanding a bit further. when reading through
>>
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl...
>>
>> - It seems like my application has to be SAML. I cannot do
an OIDC based
>> solution.
>> - First thing I have to do is add IDP Initiated SSO URL
Name to my
>> application.
>> - The confusing part is about if my application requires...
this seems a
>> bit odd, since I'm using the Keycloak adapter but sure.
>> - The part that's missing is what gets setup in the actual
broker. You
>> mention IDP Initiated SSO URL Name but I don't see that
field in IDPs. In
>> general these look like Keycloak specific parameters.
>>
>> Any thoughts?
>>
>> John
>>
>> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament
<john.d.ament(a)gmail.com <mailto:john.d.ament@gmail.com>>
>> wrote:
>>
>> Ok, so I was able to get SP initiated working fine. I had
only tried IDP
>> when I sent this mail out.
>>
>> I'm going through this doc, and its not clear to me on a
few areas:
>>
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl...
>>
>> - I have my application (the SP) and the SAML IDP (Okta in
this case). I
>> have a link on the okta portal to login automatically to my SP.
>> - I think the webpage is saying that this only works if I'm
using the SAML
>> connector for keycloak, is that accurate?
>> - All of my Okta settings are from getting SP initiated
working. Do any
>> of those need to change?
>> - Do I in fact setup Okta as a SAML client in Keycloak?
>>
>> John
>>
>>
>> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament
<john.d.ament(a)gmail.com <mailto:john.d.ament@gmail.com>>
>> wrote:
>>
>> Hi
>>
>> Just wondering, has anyone setup Keycloak w/ Okta? Every
time I try to
>> authenticate (both SP initiated and IdP initiated) it fails
with this error
>>
>> 01:40:54,626 WARN [org.keycloak.events] (default task-7)
>> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1,
clientId=null,
>> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage
>> 01:40:54,627 ERROR
[org.keycloak.services.resources.IdentityBrokerService]
>> (default task-7) staleCodeMessage
>>
>> I suspect its a setup issue on my side, so was hoping
someone else has
>> tried this and can give tips. I even tried the import
feature, no luck.
>>
>> John
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user