Re: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?

On 14 Nov 2016, at 15:32, Bill Burke <bburke(a)redhat.com&gt; wrote: This is not a bug, its a feature request. The IDP-SSO-Initiated link is not set up to process SAML requests. I didn't even think that people would want to do a broker initiated sso. On 11/14/16 9:23 AM, Josh Cain wrote: > @Chris - yep, exactly the same thing. Thanks for pointing me to the > right bug, I'll continue discussion there! > On Mon, 2016-11-14 at 09:36 +0000, Chris Brandhorst wrote: >> Let’s forget about FOOBAR. From my JIRA ticket, I’m trying an IdP- >> initiated SSO from IdP A to >> IdP B (after which we can do all sorts of things with the >> authenticators). >> >> Stian called this a bug (set for 2.4.1.Final now), but it seems >> you’re saying this is not supported? >> This causes me some confusion, can you clarify? >> >> Thanks, >> Chris >> >>> On 13 Nov 2016, at 15:49, Bill Burke <bburke(a)redhat.com&gt; wrote: >>> >>> So, you have Application FOOBAR which is secured by IDP 'B'. You >>> want >>> to register an IDP initiated SSO link on IDP 'A' that redirects to >>> IDP >>> 'B' that redirects to Application FOOBAR? That's not something we >>> support at the moment. >>> >>> >>> >>> On 11/13/16 9:16 AM, Chris Brandhorst wrote: >>>> Isn’t this like my question: >>>> http://lists.jboss.org/pipermail/keycloak-user/2016-October/00793 >>>> 5.html >>>> >>>> and bug report: >>>> https://issues.jboss.org/browse/KEYCLOAK-3731 >>>> >>>> If you're trying to do IDP-initiated SSO starting from the >>>> external IDP, >>>> that's not something we support. >>>> It seems that that’s exactly what we are attempting. Why >>>> shouldn’t that be >>>> supported and what does that mean for my bug report (which was >>>> already >>>> worked on)? >>>> >>>> On 13 Nov 2016, at 15:06, Bill Burke <bburke@redhat.com<mailto:bb >>>> urke(a)redhat.com&gt;&gt; wrote: >>>> >>>> So, you: >>>> >>>> 1. visit the IDP-initiated SSO URL on keycloak >>>> >>>> 2. Select an external IDP to login from on the Keycloak login >>>> page >>>> >>>> 3. Login to the external IDP >>>> >>>> 4. Failure? >>>> >>>> Sounds like a bug. >>>> >>>> If you're trying to do IDP-initiated SSO starting from the >>>> external IDP, >>>> that's not something we support. >>>> >>>> >>>> On 11/11/16 11:13 PM, Josh Cain wrote: >>>> Hi all, >>>> >>>> I'm attempting an IDP-initiated SSO (via unsolicited SAML >>>> Request) >>>> against the Keycloak broker service. However, it's failing every >>>> time >>>> on the IdentityBrokerService.authenticated(..) method. I get the >>>> following error on the console: >>>> >>>> 22:05:04,945 ERROR [org.keycloak.services] (default task-61) >>>> staleCodeMessage >>>> >>>> This method seems to think that clients should *always* visit the >>>> Keycloak IDP before returning with a SAML assertion, a the >>>> failure to >>>> retrieve an associated client session is causing a serious >>>> issue. I am >>>> able to successfully use the identity brokering functions if I >>>> use an >>>> SP-initiated flow, so I know the brokering piece is configured >>>> correctly. >>>> >>>> Is this a limitation in the current implementation, or do I have >>>> something configured incorrectly? >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.or >>>> g> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user