10:50 a.m.
Hello everybody,
I am trying to figure out if Keycloak is capable to fulfil the following requirement. I
read through the documentation but was not able to figure it out.
Scenario:
A user is on a website where he has the possibility to jump to web applications of
different partners via SSO. The website provider only supports IdP Initiated SSO and the
button links provided are SAML Assertion Consumer URLs. The flow describes what should be
happening for my understanding:
Flow:
1. User login on website.
2. User clicks on button.
3. Website creates an encrypted SAML RESPONSE using its STS, redirects user to
Keycloak's SAML Assertion Consumer URL and POSTs the SAML RESPONSE there.
4. Keycloak decrypts/validates SAML RESPONSE and authenticates the user.
5. Keycloak redirects user to the application.
6. User uses application.
Is this possible? How has it to be configured? Do you need any more information to help
me? Thank you in advance!
Best regards
Karsten Honsack
**************************************
11:10 a.m.
Hello Karsten,
Yes it is possible, please have a look here [1]. Of course you will need to
confire your SP with your specific SAML adapter [2]
Hope it helps,
Luis
ps: just for the records: I always use SP initiated login, it looks more
"natural" to me :)
[1]
https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiate...
[2]
https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-gener...
El jue., 8 nov. 2018 a las 10:51, Karsten Honsack (<
karsten.honsack(a)zurich.com>) escribió:
Hello everybody,
I am trying to figure out if Keycloak is capable to fulfil the following
requirement. I read through the documentation but was not able to figure it
out.
Scenario:
A user is on a website where he has the possibility to jump to web
applications of different partners via SSO. The website provider only
supports IdP Initiated SSO and the button links provided are SAML Assertion
Consumer URLs. The flow describes what should be happening for my
understanding:
Flow:
1. User login on website.
2. User clicks on button.
3. Website creates an encrypted SAML RESPONSE using its STS, redirects
user to Keycloak's SAML Assertion Consumer URL and POSTs the SAML RESPONSE
there.
4. Keycloak decrypts/validates SAML RESPONSE and authenticates the user.
5. Keycloak redirects user to the application.
6. User uses application.
Is this possible? How has it to be configured? Do you need any more
information to help me? Thank you in advance!
Best regards
Karsten Honsack
**************************************
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
11:28 a.m.
Hi Luis,
thank you for the fast help! I was looking at the brokering section. That was totally
wrong in this case. I will build a test scenario and try this out.
Best regards
Karsten Honsack
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
Im Auftrag von Luis Rodríguez Fernández
Gesendet: Donnerstag, 8. November 2018 11:10
An: keycloak-user <keycloak-user(a)lists.jboss.org>
Betreff: [EXTERNAL] Re: [keycloak-user] Login via SAML RESPONSE from an IdP
Hello Karsten,
Yes it is possible, please have a look here [1]. Of course you will need to confire your
SP with your specific SAML adapter [2]
Hope it helps,
Luis
ps: just for the records: I always use SP initiated login, it looks more
"natural" to me :)
[1]
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_doc...
[2]
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_doc...
El jue., 8 nov. 2018 a las 10:51, Karsten Honsack (<
karsten.honsack(a)zurich.com>) escribió:
Hello everybody,
I am trying to figure out if Keycloak is capable to fulfil the
following requirement. I read through the documentation but was not
able to figure it out.
Scenario:
A user is on a website where he has the possibility to jump to web
applications of different partners via SSO. The website provider only
supports IdP Initiated SSO and the button links provided are SAML
Assertion Consumer URLs. The flow describes what should be happening
for my
understanding:
Flow:
1. User login on website.
2. User clicks on button.
3. Website creates an encrypted SAML RESPONSE using its STS, redirects
user to Keycloak's SAML Assertion Consumer URL and POSTs the SAML
RESPONSE there.
4. Keycloak decrypts/validates SAML RESPONSE and authenticates the user.
5. Keycloak redirects user to the application.
6. User uses application.
Is this possible? How has it to be configured? Do you need any more
information to help me? Thank you in advance!
Best regards
Karsten Honsack
**************************************
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
ailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=DgzfCyvE4m33Nb8jT6Zstq7mstX
2IJrYfaJl8Ak-0_8&r=tEV5NbaAf1DsefwaP5VV_SYeWZQslIoxTN6j5CE93Hg&m=qspAg
pvVTTvc9t-nOM1flvxotmIZxnKAdMYyScv58Ig&s=sRIEtNz_hzeZ7pWSAjmi6kartlN-g
eNm1PiImgC9pPQ&e=
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
**************************************
5:13 a.m.
Hello Karsten,
Just to add to Luis's answer below. In SAML terms, this is called "Unsolicited
SAML response", meaning that it hasn't been preceded by any AuthnRequest.
While configuring your partner webapp in the 3rd party IdP, make sure that your ACS URL is
in the following form:
/auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id}
where {client-id} is the value of the "IDP Initiated SSO URL Name" in the broker
definition. It's a common mistake to use Keycloak SAML endpoint
(/auth/realms/{realm}/protocol/saml/endpoint) as ACS for IdP-initiated SSO. This won't
work as generic SAML endpoint doesn't accept unsolicited responses, only
client-specific endpoints do.
By the way, what's that 3rd party IdP? Keycloak is known to work with Okta and
PingFederate and theoretically should work with any SAML 2.0 compliant IdP.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-11-08 at 09:50 +0000, Karsten Honsack wrote:
Hello everybody,
I am trying to figure out if Keycloak is capable to fulfil the following requirement. I
read through the documentation but was not able to figure it out.
Scenario:
A user is on a website where he has the possibility to jump to web applications of
different partners via SSO. The website provider only supports IdP Initiated SSO and the
button links provided are SAML Assertion Consumer URLs. The flow describes what should be
happening for my understanding:
Flow:
1. User login on website.
2. User clicks on button.
3. Website creates an encrypted SAML RESPONSE using its STS, redirects user to
Keycloak's SAML Assertion Consumer URL and POSTs the SAML RESPONSE there.
4. Keycloak decrypts/validates SAML RESPONSE and authenticates the user.
5. Keycloak redirects user to the application.
6. User uses application.
Is this possible? How has it to be configured? Do you need any more information to help
me? Thank you in advance!
Best regards
Karsten Honsack
**************************************
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:11 a.m.
Hi Dimitry,
thank you for the additional information!
I don't know the the exact technology. It is a german SSO provider for insurance
sellers called "easy login" and I think their IdP is their own implementation as
they also use some proprietary token formats for other scenarios.
Best regards
Karsten
-----Ursprüngliche Nachricht-----
Von: Dmitry Telegin <dt(a)acutus.pro>
Gesendet: Freitag, 9. November 2018 05:14
An: Karsten Honsack <karsten.honsack(a)zurich.com>; keycloak-user(a)lists.jboss.org
Betreff: [EXTERNAL] Re: [keycloak-user] Login via SAML RESPONSE from an IdP
Hello Karsten,
Just to add to Luis's answer below. In SAML terms, this is called "Unsolicited
SAML response", meaning that it hasn't been preceded by any AuthnRequest.
While configuring your partner webapp in the 3rd party IdP, make sure that your ACS URL is
in the following form:
/auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id}
where {client-id} is the value of the "IDP Initiated SSO URL Name" in the broker
definition. It's a common mistake to use Keycloak SAML endpoint
(/auth/realms/{realm}/protocol/saml/endpoint) as ACS for IdP-initiated SSO. This won't
work as generic SAML endpoint doesn't accept unsolicited responses, only
client-specific endpoints do.
By the way, what's that 3rd party IdP? Keycloak is known to work with Okta and
PingFederate and theoretically should work with any SAML 2.0 compliant IdP.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-11-08 at 09:50 +0000, Karsten Honsack wrote:
Hello everybody,
I am trying to figure out if Keycloak is capable to fulfil the following requirement. I
read through the documentation but was not able to figure it out.
Scenario:
A user is on a website where he has the possibility to jump to web applications of
different partners via SSO. The website provider only supports IdP Initiated SSO and the
button links provided are SAML Assertion Consumer URLs. The flow describes what should be
happening for my understanding:
Flow:
1. User login on website.
2. User clicks on button.
3. Website creates an encrypted SAML RESPONSE using its STS, redirects user to
Keycloak's SAML Assertion Consumer URL and POSTs the SAML RESPONSE there.
4. Keycloak decrypts/validates SAML RESPONSE and authenticates the user.
5. Keycloak redirects user to the application.
6. User uses application.
Is this possible? How has it to be configured? Do you need any more information to help
me? Thank you in advance!
Best regards
Karsten Honsack
**************************************
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
**************************************
2048
days inactive
2053
days old
4 comments
3 participants
participants (3)
-
Dmitry Telegin -
Karsten Honsack -
Luis Rodríguez Fernández