Re: [keycloak-user] Accessing Keycloak from Okta Dashboard

Yeah, the idea is to use a sort of Okta bookmark with the kc_idp_hint parameter, and keep hidden the okta SAML app, and assign the bookmark & the hidden app to the users (i don't know if it's possible, i need to speak with the colleague responsible of Okta). I know it's a big workaround but maybe it can work. It's something like using an SP initiated login as it was "an IDP one" :) Thank you, Matteo On Wed, Aug 7, 2019 at 10:43 AM Tom Billiet <tom.billiet(a)airties.com&gt; wrote: > Please keep me posted if you find anything. > > Tried myself something like that last week, but no luck. > > I could make the okta app pass the hint parameter, so that part worked. > But in the end you’re still trying to start and IDP initiated login, your > app does not understand it, but due to the hint parameter it will start an > SP initiated login. Unfortunately the change I had to do for that in okta > broke the SP initiated login flow, so in the end nothing worked anymore. > > I hope to find some more time in the coming weeks to have a better look > at it. Will keep you posted if I find something. > > > > Best regards, > > Tom > > > > *From:* Matteo Restelli <mrestelli(a)cuebiq.com&gt; > *Sent:* Wednesday, 7 August 2019 10:27 > *To:* Tom Billiet <tom.billiet(a)airties.com&gt; > *Cc:* keycloak-user <keycloak-user(a)lists.jboss.org&gt; > *Subject:* Re: [keycloak-user] Accessing Keycloak from Okta Dashboard > > > > Hi Tom, > > Yeah you're right, they are two completely separated flows. > > We're currently trying to understand if it's possible to create an Okta > application which redirects to the login page with the kc_idp_hint > parameter in querystring. Specifying as a value of the parameter the name > of the configured identity provider. This should do the trick. Currently > i'm not into the Okta Configuration part so i cannot confirm that, i'll > write here if something new comes up! > > > > Thank you for your suggestions, > > Matteo > > > > On Wed, Aug 7, 2019 at 10:22 AM Tom Billiet <tom.billiet(a)airties.com&gt; > wrote: > > Hi Matteo, > > You're talking about 2 different flows here: > * the "login with okta" button on keycloak. Then the flow is started from > keycloak and it's called SP initiated login. > * clicking the keycloak button in okta. Then the flow is started from > okta and it's called IDP initiated login > > To my understanding this will depend on what type of client you're using. > > If your client is a SAML client, you should look at IDP initiated login > section in the docs (never tried it myself): > https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiate... > On the other hand, if your client is an Openid connect/OAuth client, to > my understanding oauth does not support this and hence it's not possible > out-of-the-box. > > I'm in the same situation myself, and at the moment we've "solved" this > by not showing the keycloak button in okta (you can configure that). > However it would be much more convenient to get it working, so if anybody > has a workaround on this, I'd be happy to know. I was thinking myself if > there isn't a possibility to put a "fake" SAML client in between to handle > the IDP initiated login and then redirect to the oauth app would be an > option. But haven't found time to try it out. > > Best regards, > Tom > > -----Original Message----- > From: keycloak-user-bounces(a)lists.jboss.org < > keycloak-user-bounces(a)lists.jboss.org&gt; On Behalf Of Matteo Restelli > Sent: Wednesday, 7 August 2019 09:46 > To: keycloak-user <keycloak-user(a)lists.jboss.org&gt; > Subject: [keycloak-user] Accessing Keycloak from Okta Dashboard > > Hi all, > we're trying to configure Keycloak with Okta. We've no problems in > configuring the button "Login with okta" on the Keycloak login page. The > problem now is how to configure Keycloak to have the possibility to access > Keycloak from the Okta dashboard. Once we've configured the app in Okta, > we've received the following error message inside the Keycloak logs: > > 07:44:13,487 INFO > [org.jboss.aerogear.keycloak.metrics.MetricsEventListener] (default > task-4) Received user event of type IDENTITY_PROVIDER_LOGIN_ERROR in > realm master > 07:44:13,487 WARN [org.keycloak.events] (default task-4) > type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, > userId=null, ipAddress=10.1.3.6, error=invalidRequestMessage > 07:44:13,487 ERROR [org.keycloak.services.resources.IdentityBrokerService] > (default task-4) invalidRequestMessage > > We've followed this guide: > https://ultimatesecurity.pro/post/okta-saml/ > > Any thoughts on that? > > Thank you very much, > Matteo > > -- > > Like <https://www.facebook.com/cuebiq/> I Follow < > https://twitter.com/Cuebiq>I Connect < > https://www.linkedin.com/company/cuebiq> > > > This email is reserved > exclusively for sending and receiving messages inherent working > activities, and is not intended nor authorized for personal use. Therefore, > any outgoing messages or incoming response messages will be treated as > company messages and will be subject to the corporate IT policy and may > possibly to be read by persons other than by the subscriber of the box. > Confidential information may be contained in this message. If you are not > the address indicated in this message, please do not copy or deliver this > message to anyone. In such case, you should notify the sender immediately > and delete the original message. > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > This message has been scanned for malware by Websense. www.websense.com > > > > [image: Image removed by sender.] > > Like <https://www.facebook.com/cuebiq/> I Follow > <https://twitter.com/Cuebiq>I Connect > <https://www.linkedin.com/company/cuebiq> > > > > This email is reserved exclusively for sending and receiving messages > inherent working activities, and is not intended nor authorized for > personal use. Therefore, any outgoing messages or incoming response > messages will be treated as company messages and will be subject to the > corporate IT policy and may possibly to be read by persons other than by > the subscriber of the box. Confidential information may be contained in > this message. If you are not the address indicated in this message, please > do not copy or deliver this message to anyone. In such case, you should > notify the sender immediately and delete the original message. > > > > Click here > <https://www.mailcontrol.com/sr/NZ2Bjs_H_U_GX2PQPOmvUizKrmxxhcEGgyl_7rOGMK... > to report this email as spam. >