Hello,
I just created this PR : https://github.com/keycloak/keycloak/pull/4965.
This allows to use IDP initiated logins with OIDC Clients (for now it's limited to
SAML clients).
My use case is:- My OIDC Client uses Keycloak as OIDC Authorization Server.- users use
Okta as IDP.
Hence:* I register my OIDC Client in Okta portal using a url like
http://<keycloak>/auth/realms/<realm>/broker/<idp-name>/endpoint/clients/<client-alias>).
In a similar way to
http://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated... When a
user access his Okta portal, he authenticates to Okta (no KC involved)* In Okta portal he
see a list of application.* he click on OIDC Client app.* Okta initiates a SAML
authentication with Keycloak.* once it succeeds, Keycloak calls a URL of OIDC Client.* the
OIDC Client will initiate a OIDC flow with keycloak.* Keycloak will redirect back to the
OIDC Client (using the same identity as the one initiated by Okta SAML flow)
My Client is registered in a way that Okta will
This work like :* the user is authenticated in external IDP.* external IDP dashboard page
lists all available Client.* user clicks on a Client.* external IDP redirects to KC (using
SAML).* KC validates the authentication.* KC redirects to the OIDC RP (IDP Initiated
Target URL).* OIDC RP initiates a OIDC authentication flow, and redirects to KC* KC
creates automatically a session and redirects back to OIDC RP.
The code is far from bullet-proof, I'll gladly accept some feedback.
Cheers,Adrian