[keycloak-user] Is An IDP - Initiated SSO to Broker Possible?

Josh Cain jcain at redhat.com
Fri Nov 11 23:13:22 EST 2016

Hi all,

I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
against the Keycloak broker service.  However, it's failing every time
on the IdentityBrokerService.authenticated(..) method.  I get the
following error on the console:

22:05:04,945 ERROR [org.keycloak.services] (default task-61)

This method seems to think that clients should *always* visit the
Keycloak IDP before returning with a SAML assertion, a the failure to
retrieve an associated client session is causing a serious issue.  I am
able to successfully use the identity brokering functions if I use an
SP-initiated flow, so I know the brokering piece is configured

Is this a limitation in the current implementation, or do I have
something configured incorrectly?

Josh Cain | Software Applications Engineer
Identity and Access
Red Hat
+1 256-452-0150

More information about the keycloak-user mailing list