[keycloak-user] Is An IDP - Initiated SSO to Broker Possible?

Bill Burke bburke at redhat.com
Sun Nov 13 09:06:06 EST 2016

So, you:

1. visit the IDP-initiated SSO URL on keycloak

2. Select an external IDP to login from on the Keycloak login page

3. Login to the external IDP

4. Failure?

Sounds like a bug.

If you're trying to do IDP-initiated SSO starting from the external IDP, 
that's not something we support.

On 11/11/16 11:13 PM, Josh Cain wrote:
> Hi all,
> I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
> against the Keycloak broker service.  However, it's failing every time
> on the IdentityBrokerService.authenticated(..) method.  I get the
> following error on the console:
> 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
> staleCodeMessage
> This method seems to think that clients should *always* visit the
> Keycloak IDP before returning with a SAML assertion, a the failure to
> retrieve an associated client session is causing a serious issue.  I am
> able to successfully use the identity brokering functions if I use an
> SP-initiated flow, so I know the brokering piece is configured
> correctly.
> Is this a limitation in the current implementation, or do I have
> something configured incorrectly?

More information about the keycloak-user mailing list