The account page doesn't support SAML, only OIDC.
To achieve what you want we'd have to add idp_hint query param support to
the account page and make it include that to it's authentication request.
Would be pretty simply to do. You can create a JIRA feature request for it.
Even better if it came with a PR including tests.
On 6 February 2017 at 16:41, Mark Pardijs <mark.pardijs(a)topicus.nl> wrote:
Hi,
I want to give my users the possibility to edit their account settings
from an federated IdP. Is there a way to do an IdP initiated SSO from a
federated IdP which links directly to the account page at
{KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account?
As far as I can see, I have to do the following steps:
1. In the ‘master’ keycloak: add a new SAML client with URL
{KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account. (Since there’s no
such thing as ‘OpenID Connect IdP initiated SSO as far as I can see)
2. In the federated IdP: send a SAMLResponse to http://
{KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/broker/${
fedIdP}/endpoint/clients/${CLIENT_ID}
The login goes successfully, but after login I see a 403 "Failed executing
POST /realms/master/account” error, since the account page doesn’t accept
POST requests. If I refresh the browser window which is pointing at the
account page all is well, since this last request is a GET request. (See
http://lists.jboss.org/pipermail/keycloak-user/2014-October/000989.html
for the same question about POST/GET)
I could make a third client with as only function showing a link to the
account page but don’t know if this is the right way to go.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user