Hi Tom, I can confirm you that we've implemented the way i told you this morning. The main reason was to be able to access the Keycloak admin console from our Okta application dashboard. I want to highlight that this is a workaround, and for that you need to keep two okta applications: - a bookmark - an okta saml app For the bookmark: Simply put the link of the admin console in this way: https://<keycloak-hostname>/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2F<keycloak-hostname>%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&response_mode=fragment&response_type=code&scope=openid&kc_idp_hint=< <https://auth.sand.cuebiq.ai/auth/realms/master/protocol/openid-connect/au... name-of-the-configured-saml-identity-provider> To retrieve better the link, go to the admin console and copy the link, removing the "variable" part (nonce, state etc.). At this point, add the kc_idp_hint paramenter with the name of the configured saml identity provider. In this way, once clicked on the link, the user will go to Keycloak, which in turn will redirect the user to Okta for the authentication process. For the okta saml app: you can configure it as written in this guide https://ultimatesecurity.pro/post/okta-saml/ We've tried in our sand environment and it works. This probably will remove some security components (nonce and state are parameters used to avoid security issues), but since this is for internal use only we can safely proceed with that solution. I hope this will help you, bye! Matteo On Wed, Aug 7, 2019 at 11:01 AM Matteo Restelli <mrestelli(a)cuebiq.com&gt; wrote: -- Like <https://www.facebook.com/cuebiq/> I Follow <https://twitter.com/Cuebiq>I Connect <https://www.linkedin.com/company/cuebiq> This email is reserved exclusively for sending and receiving messages inherent working activities, and is not intended nor authorized for personal use. Therefore, any outgoing messages or incoming response messages will be treated as company messages and will be subject to the corporate IT policy and may possibly to be read by persons other than by the subscriber of the box. Confidential information may be contained in this message. If you are not the address indicated in this message, please do not copy or deliver this message to anyone. In such case, you should notify the sender immediately and delete the original message.

Hi Matteo, That’s also how far I got. Unfortunately it’s not good enough for us. While it’s a nice “hack”, we also want our customers to be able to federate to our keycloak instance with SAML. We can’t all tell them to use a hack like this, it should be a standardized solution. Best regards, Tom From: Matteo Restelli <mrestelli(a)cuebiq.com&gt; Sent: Wednesday, 7 August 2019 17:56 To: Tom Billiet <tom.billiet(a)airties.com>; keycloak-user <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Accessing Keycloak from Okta Dashboard Hi Tom, Sorry for this email again. for name-of-the-configured-saml-identity-provider i meant the "alias" field you can find in the identity provider page. Bye! Matteo On Wed, Aug 7, 2019 at 5:54 PM Matteo Restelli <mrestelli@cuebiq.com<mailto:mrestelli@cuebiq.com>> wrote: Hi Tom, I can confirm you that we've implemented the way i told you this morning. The main reason was to be able to access the Keycloak admin console from our Okta application dashboard. I want to highlight that this is a workaround, and for that you need to keep two okta applications: - a bookmark - an okta saml app For the bookmark: Simply put the link of the admin console in this way: https://<keycloak-hostname>/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2F<keycloak-hostname>%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&response_mode=fragment&response_type=code&scope=openid&kc_idp_hint=<<http://webdefence.global.blackspider.com/urlwrap/?q=AXicbY5NTsMwEIVH4izNrk6hQUVIFrDpigXiApHjDM2o_sOeoGbDTVlxBQ7AJK3EBsnSjN88vffBFTQ_AJ9fANlNm6ZTJX8ob8jZGDhHp2z0cNrt9uPz68vmutne3gFHrzpyjpAfDWUmLIttYE7lvq7NyIMqJvTKjtjRuzK0aHVG43ypvSmMuU45crTR1TFhoH4tjQEtL9YHK-mBW-p1QTtm4mltek9hdpXosMrYUxZ7K0e9NK-2T6ubvbx_-i_qPOYUmWcIWS6BsklmSfLD1sce9Vs2By8QfzJPCbWVW1WsQOszeHW0wpnagQLrYryLRzYAcPoG-AUWkH7Q&Z>name-of-the-configured-saml-identity-provider> To retrieve better the link, go to the admin console and copy the link, removing the "variable" part (nonce, state etc.). At this point, add the kc_idp_hint paramenter with the name of the configured saml identity provider. In this way, once clicked on the link, the user will go to Keycloak, which in turn will redirect the user to Okta for the authentication process. For the okta saml app: you can configure it as written in this guide https://ultimatesecurity.pro/post/okta-saml/ We've tried in our sand environment and it works. This probably will remove some security components (nonce and state are parameters used to avoid security issues), but since this is for internal use only we can safely proceed with that solution. I hope this will help you, bye! Matteo On Wed, Aug 7, 2019 at 11:01 AM Matteo Restelli <mrestelli@cuebiq.com<mailto:mrestelli@cuebiq.com>> wrote: Yeah, the idea is to use a sort of Okta bookmark with the kc_idp_hint parameter, and keep hidden the okta SAML app, and assign the bookmark & the hidden app to the users (i don't know if it's possible, i need to speak with the colleague responsible of Okta). I know it's a big workaround but maybe it can work. It's something like using an SP initiated login as it was "an IDP one" :) Thank you, Matteo On Wed, Aug 7, 2019 at 10:43 AM Tom Billiet <tom.billiet@airties.com<mailto:tom.billiet@airties.com>> wrote: Please keep me posted if you find anything. Tried myself something like that last week, but no luck. I could make the okta app pass the hint parameter, so that part worked. But in the end you’re still trying to start and IDP initiated login, your app does not understand it, but due to the hint parameter it will start an SP initiated login. Unfortunately the change I had to do for that in okta broke the SP initiated login flow, so in the end nothing worked anymore. I hope to find some more time in the coming weeks to have a better look at it. Will keep you posted if I find something. Best regards, Tom From: Matteo Restelli <mrestelli@cuebiq.com<mailto:mrestelli@cuebiq.com>> Sent: Wednesday, 7 August 2019 10:27 To: Tom Billiet <tom.billiet@airties.com<mailto:tom.billiet@airties.com>> Cc: keycloak-user <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Accessing Keycloak from Okta Dashboard Hi Tom, Yeah you're right, they are two completely separated flows. We're currently trying to understand if it's possible to create an Okta application which redirects to the login page with the kc_idp_hint parameter in querystring. Specifying as a value of the parameter the name of the configured identity provider. This should do the trick. Currently i'm not into the Okta Configuration part so i cannot confirm that, i'll write here if something new comes up! Thank you for your suggestions, Matteo On Wed, Aug 7, 2019 at 10:22 AM Tom Billiet <tom.billiet@airties.com<mailto:tom.billiet@airties.com>> wrote: Hi Matteo, You're talking about 2 different flows here: * the "login with okta" button on keycloak. Then the flow is started from keycloak and it's called SP initiated login. * clicking the keycloak button in okta. Then the flow is started from okta and it's called IDP initiated login To my understanding this will depend on what type of client you're using. If your client is a SAML client, you should look at IDP initiated login section in the docs (never tried it myself): https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiate... On the other hand, if your client is an Openid connect/OAuth client, to my understanding oauth does not support this and hence it's not possible out-of-the-box. I'm in the same situation myself, and at the moment we've "solved" this by not showing the keycloak button in okta (you can configure that). However it would be much more convenient to get it working, so if anybody has a workaround on this, I'd be happy to know. I was thinking myself if there isn't a possibility to put a "fake" SAML client in between to handle the IDP initiated login and then redirect to the oauth app would be an option. But haven't found time to try it out. Best regards, Tom -----Original Message----- From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> On Behalf Of Matteo Restelli Sent: Wednesday, 7 August 2019 09:46 To: keycloak-user <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: [keycloak-user] Accessing Keycloak from Okta Dashboard Hi all, we're trying to configure Keycloak with Okta. We've no problems in configuring the button "Login with okta" on the Keycloak login page. The problem now is how to configure Keycloak to have the possibility to access Keycloak from the Okta dashboard. Once we've configured the app in Okta, we've received the following error message inside the Keycloak logs: 07:44:13,487 INFO [org.jboss.aerogear.keycloak.metrics.MetricsEventListener] (default task-4) Received user event of type IDENTITY_PROVIDER_LOGIN_ERROR in realm master 07:44:13,487 WARN [org.keycloak.events] (default task-4) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.1.3.6, error=invalidRequestMessage 07:44:13,487 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-4) invalidRequestMessage We've followed this guide: https://ultimatesecurity.pro/post/okta-saml/ Any thoughts on that? Thank you very much, Matteo -- Like <https://www.facebook.com/cuebiq/> I Follow <https://twitter.com/Cuebiq>I Connect <https://www.linkedin.com/company/cuebiq> This email is reserved exclusively for sending and receiving messages inherent working activities, and is not intended nor authorized for personal use. Therefore, any outgoing messages or incoming response messages will be treated as company messages and will be subject to the corporate IT policy and may possibly to be read by persons other than by the subscriber of the box. Confidential information may be contained in this message. If you are not the address indicated in this message, please do not copy or deliver this message to anyone. In such case, you should notify the sender immediately and delete the original message. _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user This message has been scanned for malware by Websense. www.websense.com<http://www.websense.com> [Image removed by sender.] Like<https://www.facebook.com/cuebiq/> I Follow <https://twitter.com/Cuebiq> I Connect<https://www.linkedin.com/company/cuebiq> This email is reserved exclusively for sending and receiving messages inherent working activities, and is not intended nor authorized for personal use. Therefore, any outgoing messages or incoming response messages will be treated as company messages and will be subject to the corporate IT policy and may possibly to be read by persons other than by the subscriber of the box. Confidential information may be contained in this message. If you are not the address indicated in this message, please do not copy or deliver this message to anyone. In such case, you should notify the sender immediately and delete the original message. Click here<https://www.mailcontrol.com/sr/MZbqvYs5QwJvpeaetUwhCQ==> to report this email as spam. [https://s3-eu-west-1.amazonaws.com/static.cuebiq.com/public/icon-mail.png] Like<https://www.facebook.com/cuebiq/> I Follow <https://twitter.com/Cuebiq> I Connect<https://www.linkedin.com/company/cuebiq> This email is reserved exclusively for sending and receiving messages inherent working activities, and is not intended nor authorized for personal use. Therefore, any outgoing messages or incoming response messages will be treated as company messages and will be subject to the corporate IT policy and may possibly to be read by persons other than by the subscriber of the box. Confidential information may be contained in this message. If you are not the address indicated in this message, please do not copy or deliver this message to anyone. In such case, you should notify the sender immediately and delete the original message.