I see what you mean by the idp_hint, but wouldn’t this exclude the IdP initiated SSO
possibility? My use case is ‘User logs in to IdP ‘federated', IdP ‘federated' does
an IdP initiated SSO to IdP ‘master’ with as ‘client’ the account page as documented here:
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl....
This works with a ‘normal’ client, but not for the account client.
Op 7 feb. 2017, om 10:04 heeft Stian Thorgersen
<sthorger@redhat.com<mailto:sthorger@redhat.com>> het volgende geschreven:
The account page doesn't support SAML, only OIDC.
To achieve what you want we'd have to add idp_hint query param support to the account
page and make it include that to it's authentication request. Would be pretty simply
to do. You can create a JIRA feature request for it. Even better if it came with a PR
including tests.
On 6 February 2017 at 16:41, Mark Pardijs
<mark.pardijs@topicus.nl<mailto:mark.pardijs@topicus.nl>> wrote:
Hi,
I want to give my users the possibility to edit their account settings from an federated
IdP. Is there a way to do an IdP initiated SSO from a federated IdP which links directly
to the account page at {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account?
As far as I can see, I have to do the following steps:
1. In the ‘master’ keycloak: add a new SAML client with URL
{KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account. (Since there’s no such thing as
‘OpenID Connect IdP initiated SSO as far as I can see)
2. In the federated IdP: send a SAMLResponse to
http://{KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/broker/${fedIdP}/endpoint/clients/${CLIENT_ID}
The login goes successfully, but after login I see a 403 "Failed executing POST
/realms/master/account” error, since the account page doesn’t accept POST requests. If I
refresh the browser window which is pointing at the account page all is well, since this
last request is a GET request. (See
http://lists.jboss.org/pipermail/keycloak-user/2014-October/000989.html for the same
question about POST/GET)
I could make a third client with as only function showing a link to the account page but
don’t know if this is the right way to go.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user