10:04 a.m.
I can SSO across different JWT clients but if I try to access a SAML client, I am
redirected to the login page even if I have an active session for the user in keycloak
after an OIDC authentication.
Is it possible to automatically authenticate the user for the SAML client? Simply put, I
am trying to get a SAML assertion on behalf of the user after OIDC authentication.
Thanks in advance!!
9:12 p.m.
Hello Mahendra,
This should work out of the box - after all, that's what SSO is about. Are you sure
that both OIDC and SAML clients are in the same Keycloak realm?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Fri, 2018-12-14 at 16:04 +0000, Satrasala, Mahendra wrote:
I can SSO across different JWT clients but if I try to access a SAML
client, I am redirected to the login page even if I have an active session for the user in
keycloak after an OIDC authentication.
Is it possible to automatically authenticate the user for the SAML client? Simply put, I
am trying to get a SAML assertion on behalf of the user after OIDC authentication.
Thanks in advance!!
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:32 a.m.
On 12/16/18 10:12 PM, Dmitry Telegin wrote:
Hello Mahendra,
This should work out of the box - after all, that's what SSO is about. Are you sure
that both OIDC and SAML clients are in the same Keycloak realm?
And make sure you don't have ForceAuthn set to true in the request. As a
reminder this is the definition of ForceAuthn: "A Boolean value. If
"true", the identity provider MUST authenticate the presenter directly
rather than rely on a previous security context."
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Fri, 2018-12-14 at 16:04 +0000, Satrasala, Mahendra wrote:
> I can SSO across different JWT clients but if I try to access a SAML client, I am
redirected to the login page even if I have an active session for the user in keycloak
after an OIDC authentication.
>
>
> Is it possible to automatically authenticate the user for the SAML client? Simply
put, I am trying to get a SAML assertion on behalf of the user after OIDC authentication.
>
>
> Thanks in advance!!
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
John Dennis
10:58 p.m.
Hi John,
Thanks for pointing this out - in my original message I was about to write "...and
check that your client doesn't have Force Authentication turned on", but recalled
that this is for brokered SAML IdPs only :)
Dmitry
On Mon, 2018-12-17 at 08:32 -0500, John Dennis wrote:
On 12/16/18 10:12 PM, Dmitry Telegin wrote:
> Hello Mahendra,
>
> This should work out of the box - after all, that's what SSO is about. Are you
sure that both OIDC and SAML clients are in the same Keycloak realm?
And make sure you don't have ForceAuthn set to true in the request. As a
reminder this is the definition of ForceAuthn: "A Boolean value. If
"true", the identity provider MUST authenticate the presenter directly
rather than rely on a previous security context."
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info(a)acutus.pro
>
>
> On Fri, 2018-12-14 at 16:04 +0000, Satrasala, Mahendra wrote:
> > I can SSO across different JWT clients but if I try to access a SAML client, I
am redirected to the login page even if I have an active session for the user in keycloak
after an OIDC authentication.
> >
> >
> > Is it possible to automatically authenticate the user for the SAML client?
Simply put, I am trying to get a SAML assertion on behalf of the user after OIDC
authentication.
> >
> >
> > Thanks in advance!!
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2204
days inactive
2208
days old
3 comments
3 participants
participants (3)
-
Dmitry Telegin -
John Dennis -
Satrasala, Mahendra