Hi Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to authenticate (both SP initiated and IdP initiated) it fails with this error 01:40:54,626 WARN [org.keycloak.events] (default task-7) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, userId=null, ipAddress=172.17.0.1, error=staleCodeMessage 01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-7) staleCodeMessage I suspect its a setup issue on my side, so was hoping someone else has tried this and can give tips. I even tried the import feature, no luck. John

Changing the subject to be a bit clearer about the problems. I think I'm understanding a bit further. when reading through https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl... - It seems like my application has to be SAML. I cannot do an OIDC based solution. - First thing I have to do is add IDP Initiated SSO URL Name to my application. - The confusing part is about if my application requires... this seems a bit odd, since I'm using the Keycloak adapter but sure. - The part that's missing is what gets setup in the actual broker. You mention IDP Initiated SSO URL Name but I don't see that field in IDPs. In general these look like Keycloak specific parameters. Any thoughts? John On Mon, Feb 20, 2017 at 7:18 AM John D. Ament <john.d.ament(a)gmail.com&gt; wrote: Ok, so I was able to get SP initiated working fine. I had only tried IDP when I sent this mail out. I'm going through this doc, and its not clear to me on a few areas: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl... - I have my application (the SP) and the SAML IDP (Okta in this case). I have a link on the okta portal to login automatically to my SP. - I think the webpage is saying that this only works if I'm using the SAML connector for keycloak, is that accurate? - All of my Okta settings are from getting SP initiated working. Do any of those need to change? - Do I in fact setup Okta as a SAML client in Keycloak? John On Sun, Feb 19, 2017 at 8:47 PM John D. Ament <john.d.ament(a)gmail.com&gt; wrote: Hi Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to authenticate (both SP initiated and IdP initiated) it fails with this error 01:40:54,626 WARN [org.keycloak.events] (default task-7) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, userId=null, ipAddress=172.17.0.1, error=staleCodeMessage 01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-7) staleCodeMessage I suspect its a setup issue on my side, so was hoping someone else has tried this and can give tips. I even tried the import feature, no luck. John

OIDC/OAuth doesn't have an IDP initiated protocol. You'll have to create a URL somewhere that links to your app which will then redirect to Keycloak. On 2/22/17 8:23 PM, John D. Ament wrote: > Looks like I answered half of my question - > https://issues.jboss.org/browse/KEYCLOAK-4454 > > Seems like it will only work if I'm using SAML. > > John > > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament <john.d.ament(a)gmail.com&gt; > wrote: > >> Changing the subject to be a bit clearer about the problems. >> >> I think I'm understanding a bit further. when reading through >> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl... >> >> - It seems like my application has to be SAML. I cannot do an OIDC based >> solution. >> - First thing I have to do is add IDP Initiated SSO URL Name to my >> application. >> - The confusing part is about if my application requires... this seems a >> bit odd, since I'm using the Keycloak adapter but sure. >> - The part that's missing is what gets setup in the actual broker. You >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs. In >> general these look like Keycloak specific parameters. >> >> Any thoughts? >> >> John >> >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament <john.d.ament(a)gmail.com&gt; >> wrote: >> >> Ok, so I was able to get SP initiated working fine. I had only tried IDP >> when I sent this mail out. >> >> I'm going through this doc, and its not clear to me on a few areas: >> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl... >> >> - I have my application (the SP) and the SAML IDP (Okta in this case). I >> have a link on the okta portal to login automatically to my SP. >> - I think the webpage is saying that this only works if I'm using the SAML >> connector for keycloak, is that accurate? >> - All of my Okta settings are from getting SP initiated working. Do any >> of those need to change? >> - Do I in fact setup Okta as a SAML client in Keycloak? >> >> John >> >> >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament <john.d.ament(a)gmail.com&gt; >> wrote: >> >> Hi >> >> Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to >> authenticate (both SP initiated and IdP initiated) it fails with this error >> >> 01:40:54,626 WARN [org.keycloak.events] (default task-7) >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage >> 01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService] >> (default task-7) staleCodeMessage >> >> I suspect its a setup issue on my side, so was hoping someone else has >> tried this and can give tips. I even tried the import feature, no luck. >> >> John >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user