Re: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?

Well, it seems we do :-) In our case we have an existing desktop application with its own user management (IdP A) which posts signed SAML responses to our webapplication. We would like to migrate to an IdP setup using KeyCloak, with our webapplication as a client of KeyCloak (IdP B). Since IdP A is a desktop application, only the IdP- initiated flow is viable. > > On 14 Nov 2016, at 15:32, Bill Burke <bburke(a)redhat.com&gt; wrote: > > This is not a bug, its a feature request.  The IDP-SSO-Initiated > link is  > not set up to process SAML requests.  I didn't even think that > people  > would want to do a broker initiated sso. > > > On 11/14/16 9:23 AM, Josh Cain wrote: > > > > @Chris - yep, exactly the same thing.  Thanks for pointing me to > > the > > right bug, I'll continue discussion there! > > On Mon, 2016-11-14 at 09:36 +0000, Chris Brandhorst wrote: > > > > > > Let’s forget about FOOBAR. From my JIRA ticket, I’m trying an > > > IdP- > > > initiated SSO from IdP A to > > > IdP B (after which we can do all sorts of things with the > > > authenticators). > > > > > > Stian called this a bug (set for 2.4.1.Final now), but it seems > > > you’re saying this is not supported? > > > This causes me some confusion, can you clarify? > > > > > > Thanks, > > > Chris > > > > > > > > > > > On 13 Nov 2016, at 15:49, Bill Burke <bburke(a)redhat.com&gt; > > > > wrote: > > > > > > > > So, you have Application FOOBAR which is secured by IDP > > > > 'B'.  You > > > > want > > > > to register an IDP initiated SSO link on IDP 'A' that > > > > redirects to > > > > IDP > > > > 'B' that redirects to Application FOOBAR?  That's not > > > > something we > > > > support at the moment. > > > > > > > > > > > > > > > > On 11/13/16 9:16 AM, Chris Brandhorst wrote: > > > > > > > > > > Isn’t this like my question: > > > > > http://lists.jboss.org/pipermail/keycloak-user/2016-October > > > > > /00793 > > > > > 5.html > > > > > > > > > > and bug report: > > > > > https://issues.jboss.org/browse/KEYCLOAK-3731 > > > > > > > > > > If you're trying to do IDP-initiated SSO starting from the > > > > > external IDP, > > > > > that's not something we support. > > > > > It seems that that’s exactly what we are attempting. Why > > > > > shouldn’t that be > > > > > supported and what does that mean for my bug report (which > > > > > was > > > > > already > > > > > worked on)? > > > > > > > > > > On 13 Nov 2016, at 15:06, Bill Burke <bburke(a)redhat.com&lt;mai > > > > > lto:bb > > > > > urke(a)redhat.com&gt;&gt; wrote: > > > > > > > > > > So, you: > > > > > > > > > > 1. visit the IDP-initiated SSO URL on keycloak > > > > > > > > > > 2. Select an external IDP to login from on the Keycloak > > > > > login > > > > > page > > > > > > > > > > 3. Login to the external IDP > > > > > > > > > > 4. Failure? > > > > > > > > > > Sounds like a bug. > > > > > > > > > > If you're trying to do IDP-initiated SSO starting from the > > > > > external IDP, > > > > > that's not something we support. > > > > > > > > > > > > > > > On 11/11/16 11:13 PM, Josh Cain wrote: > > > > > Hi all, > > > > > > > > > > I'm attempting an IDP-initiated SSO (via unsolicited SAML > > > > > Request) > > > > > against the Keycloak broker service.  However, it's failing > > > > > every > > > > > time > > > > > on the IdentityBrokerService.authenticated(..) method.  I > > > > > get the > > > > > following error on the console: > > > > > > > > > > 22:05:04,945 ERROR [org.keycloak.services] (default task- > > > > > 61) > > > > > staleCodeMessage > > > > > > > > > > This method seems to think that clients should *always* > > > > > visit the > > > > > Keycloak IDP before returning with a SAML assertion, a the > > > > > failure to > > > > > retrieve an associated client session is causing a serious > > > > > issue.  I am > > > > > able to successfully use the identity brokering functions > > > > > if I > > > > > use an > > > > > SP-initiated flow, so I know the brokering piece is > > > > > configured > > > > > correctly. > > > > > > > > > > Is this a limitation in the current implementation, or do I > > > > > have > > > > > something configured incorrectly? > > > > > > > > > > > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jb > > > > > oss.or > > > > > g> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user(a)lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user(a)lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user