Re: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?

Let’s forget about FOOBAR. From my JIRA ticket, I’m trying an IdP- initiated SSO from IdP A to IdP B (after which we can do all sorts of things with the authenticators). Stian called this a bug (set for 2.4.1.Final now), but it seems you’re saying this is not supported? This causes me some confusion, can you clarify? Thanks, Chris > > On 13 Nov 2016, at 15:49, Bill Burke <bburke(a)redhat.com&gt; wrote: > > So, you have Application FOOBAR which is secured by IDP 'B'.  You > want  > to register an IDP initiated SSO link on IDP 'A' that redirects to > IDP  > 'B' that redirects to Application FOOBAR?  That's not something we  > support at the moment. > > > > On 11/13/16 9:16 AM, Chris Brandhorst wrote: > > > > Isn’t this like my question: > > http://lists.jboss.org/pipermail/keycloak-user/2016-October/00793 > > 5.html > > > > and bug report: > > https://issues.jboss.org/browse/KEYCLOAK-3731 > > > > If you're trying to do IDP-initiated SSO starting from the > > external IDP, > > that's not something we support. > > It seems that that’s exactly what we are attempting. Why > > shouldn’t that be > > supported and what does that mean for my bug report (which was > > already > > worked on)? > > > > On 13 Nov 2016, at 15:06, Bill Burke <bburke@redhat.com<mailto:bb > > urke(a)redhat.com&gt;&gt; wrote: > > > > So, you: > > > > 1. visit the IDP-initiated SSO URL on keycloak > > > > 2. Select an external IDP to login from on the Keycloak login > > page > > > > 3. Login to the external IDP > > > > 4. Failure? > > > > Sounds like a bug. > > > > If you're trying to do IDP-initiated SSO starting from the > > external IDP, > > that's not something we support. > > > > > > On 11/11/16 11:13 PM, Josh Cain wrote: > > Hi all, > > > > I'm attempting an IDP-initiated SSO (via unsolicited SAML > > Request) > > against the Keycloak broker service.  However, it's failing every > > time > > on the IdentityBrokerService.authenticated(..) method.  I get the > > following error on the console: > > > > 22:05:04,945 ERROR [org.keycloak.services] (default task-61) > > staleCodeMessage > > > > This method seems to think that clients should *always* visit the > > Keycloak IDP before returning with a SAML assertion, a the > > failure to > > retrieve an associated client session is causing a serious > > issue.  I am > > able to successfully use the identity brokering functions if I > > use an > > SP-initiated flow, so I know the brokering piece is configured > > correctly. > > > > Is this a limitation in the current implementation, or do I have > > something configured incorrectly? > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.or > > g> > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user