3:36 a.m.
Let’s forget about FOOBAR. From my JIRA ticket, I’m trying an IdP-initiated SSO from IdP A
to
IdP B (after which we can do all sorts of things with the authenticators).
Stian called this a bug (set for 2.4.1.Final now), but it seems you’re saying this is not
supported?
This causes me some confusion, can you clarify?
Thanks,
Chris
On 13 Nov 2016, at 15:49, Bill Burke <bburke(a)redhat.com>
wrote:
So, you have Application FOOBAR which is secured by IDP 'B'. You want
to register an IDP initiated SSO link on IDP 'A' that redirects to IDP
'B' that redirects to Application FOOBAR? That's not something we
support at the moment.
On 11/13/16 9:16 AM, Chris Brandhorst wrote:
> Isn’t this like my question:
> http://lists.jboss.org/pipermail/keycloak-user/2016-October/007935.html
>
> and bug report:
> https://issues.jboss.org/browse/KEYCLOAK-3731
>
> If you're trying to do IDP-initiated SSO starting from the external IDP,
> that's not something we support.
> It seems that that’s exactly what we are attempting. Why shouldn’t that be
> supported and what does that mean for my bug report (which was already
> worked on)?
>
> On 13 Nov 2016, at 15:06, Bill Burke
<bburke@redhat.com<mailto:bburke@redhat.com>> wrote:
>
> So, you:
>
> 1. visit the IDP-initiated SSO URL on keycloak
>
> 2. Select an external IDP to login from on the Keycloak login page
>
> 3. Login to the external IDP
>
> 4. Failure?
>
> Sounds like a bug.
>
> If you're trying to do IDP-initiated SSO starting from the external IDP,
> that's not something we support.
>
>
> On 11/11/16 11:13 PM, Josh Cain wrote:
> Hi all,
>
> I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
> against the Keycloak broker service. However, it's failing every time
> on the IdentityBrokerService.authenticated(..) method. I get the
> following error on the console:
>
> 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
> staleCodeMessage
>
> This method seems to think that clients should *always* visit the
> Keycloak IDP before returning with a SAML assertion, a the failure to
> retrieve an associated client session is causing a serious issue. I am
> able to successfully use the identity brokering functions if I use an
> SP-initiated flow, so I know the brokering piece is configured
> correctly.
>
> Is this a limitation in the current implementation, or do I have
> something configured incorrectly?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user