Re: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?

@Chris - yep, exactly the same thing. Thanks for pointing me to the right bug, I'll continue discussion there! On Mon, 2016-11-14 at 09:36 +0000, Chris Brandhorst wrote: > Let’s forget about FOOBAR. From my JIRA ticket, I’m trying an IdP- > initiated SSO from IdP A to > IdP B (after which we can do all sorts of things with the > authenticators). > > Stian called this a bug (set for 2.4.1.Final now), but it seems > you’re saying this is not supported? > This causes me some confusion, can you clarify? > > Thanks, > Chris > >> On 13 Nov 2016, at 15:49, Bill Burke <bburke(a)redhat.com&gt; wrote: >> >> So, you have Application FOOBAR which is secured by IDP 'B'. You >> want >> to register an IDP initiated SSO link on IDP 'A' that redirects to >> IDP >> 'B' that redirects to Application FOOBAR? That's not something we >> support at the moment. >> >> >> >> On 11/13/16 9:16 AM, Chris Brandhorst wrote: >>> Isn’t this like my question: >>> http://lists.jboss.org/pipermail/keycloak-user/2016-October/00793 >>> 5.html >>> >>> and bug report: >>> https://issues.jboss.org/browse/KEYCLOAK-3731 >>> >>> If you're trying to do IDP-initiated SSO starting from the >>> external IDP, >>> that's not something we support. >>> It seems that that’s exactly what we are attempting. Why >>> shouldn’t that be >>> supported and what does that mean for my bug report (which was >>> already >>> worked on)? >>> >>> On 13 Nov 2016, at 15:06, Bill Burke <bburke@redhat.com<mailto:bb >>> urke(a)redhat.com&gt;&gt; wrote: >>> >>> So, you: >>> >>> 1. visit the IDP-initiated SSO URL on keycloak >>> >>> 2. Select an external IDP to login from on the Keycloak login >>> page >>> >>> 3. Login to the external IDP >>> >>> 4. Failure? >>> >>> Sounds like a bug. >>> >>> If you're trying to do IDP-initiated SSO starting from the >>> external IDP, >>> that's not something we support. >>> >>> >>> On 11/11/16 11:13 PM, Josh Cain wrote: >>> Hi all, >>> >>> I'm attempting an IDP-initiated SSO (via unsolicited SAML >>> Request) >>> against the Keycloak broker service. However, it's failing every >>> time >>> on the IdentityBrokerService.authenticated(..) method. I get the >>> following error on the console: >>> >>> 22:05:04,945 ERROR [org.keycloak.services] (default task-61) >>> staleCodeMessage >>> >>> This method seems to think that clients should *always* visit the >>> Keycloak IDP before returning with a SAML assertion, a the >>> failure to >>> retrieve an associated client session is causing a serious >>> issue. I am >>> able to successfully use the identity brokering functions if I >>> use an >>> SP-initiated flow, so I know the brokering piece is configured >>> correctly. >>> >>> Is this a limitation in the current implementation, or do I have >>> something configured incorrectly? >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.or >>> g> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user