[keycloak-user] Is An IDP - Initiated SSO to Broker Possible?
Chris Brandhorst
Chris.Brandhorst at topicus.nl
Sun Nov 13 09:16:58 EST 2016
Isn’t this like my question:
http://lists.jboss.org/pipermail/keycloak-user/2016-October/007935.html
and bug report:
https://issues.jboss.org/browse/KEYCLOAK-3731
If you're trying to do IDP-initiated SSO starting from the external IDP,
that's not something we support.
It seems that that’s exactly what we are attempting. Why shouldn’t that be
supported and what does that mean for my bug report (which was already
worked on)?
On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>> wrote:
So, you:
1. visit the IDP-initiated SSO URL on keycloak
2. Select an external IDP to login from on the Keycloak login page
3. Login to the external IDP
4. Failure?
Sounds like a bug.
If you're trying to do IDP-initiated SSO starting from the external IDP,
that's not something we support.
On 11/11/16 11:13 PM, Josh Cain wrote:
Hi all,
I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
against the Keycloak broker service. However, it's failing every time
on the IdentityBrokerService.authenticated(..) method. I get the
following error on the console:
22:05:04,945 ERROR [org.keycloak.services] (default task-61)
staleCodeMessage
This method seems to think that clients should *always* visit the
Keycloak IDP before returning with a SAML assertion, a the failure to
retrieve an associated client session is causing a serious issue. I am
able to successfully use the identity brokering functions if I use an
SP-initiated flow, so I know the brokering piece is configured
correctly.
Is this a limitation in the current implementation, or do I have
something configured incorrectly?
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list