Is there a way to use an OIDC IdP without any backchannel communication involved (like SAML 2.0 Web Browser SSO with HTTP-Post Binding)
9:07 a.m.
Hi,
I'm looking into using Keycloak as a Broker in my SAAS platform to federate with
foreign IdPs which aren't in my control.
So my scenario is that:
1. Customer navigates to his SP in my SAAS platform
2. SP redirects him to my Keycloak in my SAAS platform
3. Customer choses to login in with his IdP
4. Keycloak redirects Customer to the login page of his IdP
5. Customer accomplishes login to his IdP
6. IdP redirects the Customer to my Keycloak
7. My Keycloak provisions the user
8. My Keycloak redirects the user to his SP in my SAAS platform
9. SP accepts the login
For a proof of concept I tried to implement this scenario with two Keycloak instances,
which aren't and shouldn't be able to communicate with each other. The only thing
that should communicate with both Keycloak instances is the user agent, because I
don't want the hassle that I have to establish a for example two-way-ssl connection
between my SAAS Keycloak and foreign IdP.
My first attempt was using OpenID Connect, but then my SAAS Keycloak tried to get an
access_token from the other Keycloak in step 7. That didn't work (as I expected and
intended). So my question is: Is there a way to use an OIDC IdP without any backchannel
communication involved?
My second attempt was using SAML 2.0 Web Browser SSO with HTTP-Post Binding. That did work
fine.
Best regards
Marcus
6 a.m.
OIDC protocol has implicit flow and we support that in Keycloak. However
we don't support that for our Identity providers. I see that
AbstractOAuth2IdentityProvider.createAuthorizationUrl has hardcoded
"response_type" to "code" . So you would need to create your own impl
of
Identity Provider and override that method. Probably some other methods
would need to be overriden too (eg. for logout).
I would rather try to setup SSL and make Keycloak servers communicate
with each other . We have truststore SPI, which is documented and
hopefully can simplify it.
Marek
On 26/07/17 16:07, May Marcus, Bedag wrote:
Hi,
I'm looking into using Keycloak as a Broker in my SAAS platform to federate with
foreign IdPs which aren't in my control.
So my scenario is that:
1. Customer navigates to his SP in my SAAS platform
2. SP redirects him to my Keycloak in my SAAS platform
3. Customer choses to login in with his IdP
4. Keycloak redirects Customer to the login page of his IdP
5. Customer accomplishes login to his IdP
6. IdP redirects the Customer to my Keycloak
7. My Keycloak provisions the user
8. My Keycloak redirects the user to his SP in my SAAS platform
9. SP accepts the login
For a proof of concept I tried to implement this scenario with two Keycloak instances,
which aren't and shouldn't be able to communicate with each other. The only thing
that should communicate with both Keycloak instances is the user agent, because I
don't want the hassle that I have to establish a for example two-way-ssl connection
between my SAAS Keycloak and foreign IdP.
My first attempt was using OpenID Connect, but then my SAAS Keycloak tried to get an
access_token from the other Keycloak in step 7. That didn't work (as I expected and
intended). So my question is: Is there a way to use an OIDC IdP without any backchannel
communication involved?
My second attempt was using SAML 2.0 Web Browser SSO with HTTP-Post Binding. That did
work fine.
Best regards
Marcus
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2695
days inactive
2696
days old
1 comments
2 participants
participants (2)
-
Marek Posolda -
May Marcus, Bedag