6:01 p.m.
No.
Actually 3rd party app is using Okta as SAML IDP.
So I added another app in okta for my keycloak server. Now when user logs
into keycloak using this okta integration, i received keycloak access token
embedded with okta SAML token.
On Thursday, April 18, 2019, Pedro Igor Silva <psilva(a)redhat.com> wrote:
Out of curiosity, so the 3rd party is already using Keycloak as SAML
IdP ?
On Thu, Apr 18, 2019 at 1:32 AM Bruce Wings <testoauth55(a)gmail.com> wrote:
> Answer to my previous question:
>
> Only step needed after adding SAML provider is to turn on Stored Tokens
> Readable and Stored Tokens switches. The reason I was getting above
> error was because for already imported user, this role will not get set.
> Only for newly imported users(users imported after turning on switches, it
> will get set)
>
> But this is a very handy solution from keycloak to extract SAML tokens.
>
> On Thu, Apr 18, 2019 at 9:48 AM Bruce Wings <testoauth55(a)gmail.com>
> wrote:
>
>> Thanks Pedro,
>>
>> I guess, then an alternative and a very good solution that keycloak
>> provides is to integrate the same SAML provider(which is being used by 3rd
>> party app) with Keycloak and extract the SAML token from it and pass on
>> this token to 3rd party app.
>>
>> I followed the official doc: https://www.keycloak.org/
>> docs/4.5/server_admin/index.html#retrieving-external-idp-tokens
>>
>> After configuring the SAML provider, I turned on the Stored Tokens
>> Readable and Stored Tokens switches, however I am still receiving
>>
>> *"errorMessage": "Client [myApp] not authorized to retrieve tokens
from
>> identity provider [saml1]."*
>>
>> In the doc there is 1 more configuration - "This access token will need
>> to have the broker client-level role read-token set" but I do not know
>> where to set this particular option. Any idea?
>>
>>
>> On Wed, Apr 17, 2019 at 5:30 PM Pedro Igor Silva <psilva(a)redhat.com>
>> wrote:
>>
>>> If you want to exchange access/id tokens for saml assertions, the token
>>> exchange does not support SAML.
>>>
>>> On Wed, Apr 17, 2019 at 4:48 AM Bruce Wings <testoauth55(a)gmail.com>
>>> wrote:
>>>
>>>> I have successfully integrated few of my apps with keycloak (with OIDC
>>>> tokens). However there is a 3rd party app which works on SAML tokens.
>>>> I am
>>>> wondering is it possible to use my existing keycloak system to send
>>>> SAML
>>>> tokens to this third party app?
>>>> i.e. I want to use keycloak as IDP and SP and generate SAML tokens and
>>>> send
>>>> it to this 3rd party app. Is this scenario even possible?
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>