1:49 a.m.
We are attempting to implement IdP initiated SSO, similar to what is outlined in this
blog...
https://blog.auth360.net/2012/12/16/saml-2-0-idp-initiated-sign-on-with-r...
The main difference is that our SP is using openid to authenticate with Keycloak.
So the configuration is like this...
ADFS(fs.example.com) <---SAML---> Keycloak(kc.example.com)
<---openid--->SP(app.example.com)
The SP is set up as a client in a Realm in Keycloak and the ADFS is set up as an identity
provider.
In ADFS, Keycloak is set up as a Relying Party.
The intent here is that we can provide the end user with a URL that they can access that
will send them to their ADFS portal to login (if required) and have them end up in the
application without them having to do anything in Keycloak.
The URL according to the article will be something like
https://fs.example.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3D...
I have been able to set up a standard IdP login via these servers however the situation is
that we will have multiple clients accessing the system and we are not allowed to expose
who our clients are so we will need to edit the login templates and remove the IdP buttons
which is why I'm looking for and IdP initiated solution.
Currently when I attempt this I don't end up in the right place in Keycloak but
instead end up at https://kc.example.com/auth/realms/realmid/broker/infoview/endpoint
I'm wondering if anyone has done this and has any pointers on configuring this
correctly (or indeed if I'm barking up the wrong tree and it's not possible)
Thanks,
Michael
8:50 a.m.
Are you using IdP-initiated login for brokered IdPs? [1] The URL for
IdP-initiated login should be this:
broker-root/auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id}
[1]
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl...
--Hynek
On Fri, Mar 24, 2017 at 1:49 AM, Michael Anthon
<michael.anthon(a)infoview.com.au> wrote:
We are attempting to implement IdP initiated SSO, similar to what is
outlined in this blog...
https://blog.auth360.net/2012/12/16/saml-2-0-idp-initiated-sign-on-with-r...
The main difference is that our SP is using openid to authenticate with Keycloak.
So the configuration is like this...
ADFS(fs.example.com) <---SAML---> Keycloak(kc.example.com)
<---openid--->SP(app.example.com)
The SP is set up as a client in a Realm in Keycloak and the ADFS is set up as an identity
provider.
In ADFS, Keycloak is set up as a Relying Party.
The intent here is that we can provide the end user with a URL that they can access that
will send them to their ADFS portal to login (if required) and have them end up in the
application without them having to do anything in Keycloak.
The URL according to the article will be something like
https://fs.example.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3D...
I have been able to set up a standard IdP login via these servers however the situation
is that we will have multiple clients accessing the system and we are not allowed to
expose who our clients are so we will need to edit the login templates and remove the IdP
buttons which is why I'm looking for and IdP initiated solution.
Currently when I attempt this I don't end up in the right place in Keycloak but
instead end up at https://kc.example.com/auth/realms/realmid/broker/infoview/endpoint
I'm wondering if anyone has done this and has any pointers on configuring this
correctly (or indeed if I'm barking up the wrong tree and it's not possible)
Thanks,
Michael
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
2843
days inactive
2843
days old
1 comments
2 participants
participants (2)
-
Hynek Mlnarik -
Michael Anthon