On 2/23/17 9:14 PM, John D. Ament wrote:
After I sent this email, it dawned on me what #4 was. I was able to
get IDP initiated working. Here's what my setup looks like. So I'm
interested, is this correct, is this too much?
- Create an IDP for Okta.
- App Client:
- This represents the real application, receiving the final assertion.
- Client Protocol: SAML
- IDP Initiated SSO Name: some-value
- Assertion Consumer Service POST Binding URL:
http://myapp/saml (the /saml comes from the wildfly SAML adapter)
Within Okta, I'm entering a URL like this:
http://mykeycloak/auth/realms/<<realm>>/broker/<<alias&...
Where:
realm: your realm, e.g. tenant1 in my case
alias: the value of the "alias" field from your IDP
some-value: the IDP Initiated SSO Name value from above
After doing this, I'm able to confirm that the principal is coming
from Keycloak properly. I'm assuming based on this, I can only do
this via the SAML adapter, not the OIDC connector.
Correct, no OIDC. Reason? Its the OAuth protocol. OAuth only allows
the client to initiate authentication.
Bill