Re: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?

Isn’t this like my question: http://lists.jboss.org/pipermail/keycloak-user/2016-October/007935.html and bug report: https://issues.jboss.org/browse/KEYCLOAK-3731 If you're trying to do IDP-initiated SSO starting from the external IDP, that's not something we support. It seems that that’s exactly what we are attempting. Why shouldn’t that be supported and what does that mean for my bug report (which was already worked on)? On 13 Nov 2016, at 15:06, Bill Burke <bburke@redhat.com<mailto:bburke@redhat.com>> wrote: So, you: 1. visit the IDP-initiated SSO URL on keycloak 2. Select an external IDP to login from on the Keycloak login page 3. Login to the external IDP 4. Failure? Sounds like a bug. If you're trying to do IDP-initiated SSO starting from the external IDP, that's not something we support. On 11/11/16 11:13 PM, Josh Cain wrote: Hi all, I'm attempting an IDP-initiated SSO (via unsolicited SAML Request) against the Keycloak broker service. However, it's failing every time on the IdentityBrokerService.authenticated(..) method. I get the following error on the console: 22:05:04,945 ERROR [org.keycloak.services] (default task-61) staleCodeMessage This method seems to think that clients should *always* visit the Keycloak IDP before returning with a SAML assertion, a the failure to retrieve an associated client session is causing a serious issue. I am able to successfully use the identity brokering functions if I use an SP-initiated flow, so I know the brokering piece is configured correctly. Is this a limitation in the current implementation, or do I have something configured incorrectly? _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user