[keycloak-user] SAML Setup

Marek Posolda mposolda at redhat.com
Fri Jun 3 03:07:56 EDT 2016


Btv. I noticed that you have "First login flow" set to "registration" 
and post-login flow set to "direct grant" . I am quite sure that it is 
not correct to setup like this. Value for "First login flow" is usually 
ok to keep default value "First broker login" and PostBrokerLogin is 
usually ok to be kept empty (unless you want some additional 
verifications triggered once user authenticates through your 
identityProvider, for example authenticate those users through OTP on 
keycloak side).

See docs for more details:
http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#d4e1672
http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#identity-broker-first-login

Marek

On 03/06/16 09:03, Marek Posolda wrote:
> Am I understand correctly that your application wants to talk with 
> Keycloak through SAML protocol? If yes, then SAML Identity provider is 
> not something for your usecase. SAML Identity provider is useful for 
> the opposite case (for example: your application wants to talk OIDC 
> with Keycloak, and Keycloak itself will then use SAML Identity 
> provider to redirect to some other 3rd party SAML IDP. So defacto 
> Keycloak acts as "bridge" between OIDC App and external SAML IDP in 
> that case).
>
> For your case, you may need regular SAML adapters. Take a look at 
> keycloak-examples under directory "saml" and at the docs 
> http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html
>
> If your "consumer" application wants to use SAML and you want Keycloak 
> to use SAML and act as "bridge" then you may need both SAML adapter 
> and SAML Identity provider.
>
> Marek
>
> On 01/06/16 17:08, Marque Davis wrote:
>> Hi,
>>
>> I’m working on moving SAML auth in one app into Keycloak. Since we 
>> have many clients hitting our existing API, we don’t want to change 
>> the external API. Instead we need to proxy through to Keycloak. I 
>> have a SAML test harness that generates the SAML doc and redirects to 
>> KC, but I constantly get a staleCodeError int he logs and the 
>> following error on the page it redirects to.
>>
>> WE'RE SORRY ...
>> This page is no longer valid, please go back to your application and 
>> login again
>>
>> I’ve setup an Identity Provider named “saml” and pointed my test app 
>> to the Redirect URI 
>> (http://192.168.99.100:10080/auth/realms/demo/broker/saml/endpoint). 
>> Config screenshot attached (if it isn’t stripped from email)
>>
>> Am I doing something wrong, or is this just not a use case Keycloak 
>> is designed for?
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/16f63be0/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 108967 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/16f63be0/attachment-0001.png 


More information about the keycloak-user mailing list