Re: [keycloak-user] IdP Initiated SSO

Hi, 1. I fear you're right. This is also how I read the specs. Unfortunately I haven't got it working either. 1a. Workaround we're using is starting an SP initiated login with passing the "kc_idp_hint" in the IDP SSO link the user clicks. This starts and SP initiated login, automatically selects the right IDP provider, and because you're already logged in there you automatically get logged in and redirected to the app you want to use. 2. You can have a look at: /realms/MYREALM/.well-known/openid-configuration and /realms/MYREALM/broker/MYIDP/endpoint/descriptor Best regards, Tom -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; On Behalf Of Chris Stephens Sent: Friday, 16 August 2019 18:01 To: keycloak-user(a)lists.jboss.org Cc: Chris Savory <chris.savory(a)edlogics.com&gt; Subject: [keycloak-user] IdP Initiated SSO Hello, Thanks for the great product. We have set up several instances of keycloak as the SP utilizing SP-Initiated SSO to external IdPs. Everything in that process is going smoothly. We have an external IdP that wants us to use IdP-initiated SSO to connect to their IdP. The current client protocol is openid-connect. We are using keycloak 5.0. 1. Is it possible for a keycloak service provider client using the openid-connect protocol to perform IdP-initiated SSO. I believe we have to set the client up using the saml protocol. Is this correct? 1a. If it is not possible, are there any workarounds that I can use? My app is using an openid-connect public client. How can I use IdP-initiated SSO in this scenario 2. We need to provide the IdP the public key used to sign the assertions. Are the keys used to sign the assertions located in the keycloak admin console > realm settings > keys > Providers tab? Thanks, Christopher Stephens Software Engineer | EdLogics chris.stephens(a)edlogics.com _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message has been scanned for malware by Websense. www.websense.com