[keycloak-user] Is An IDP - Initiated SSO to Broker Possible?

Chris Brandhorst Chris.Brandhorst at topicus.nl
Sun Nov 13 09:16:58 EST 2016


Isn’t this like my question:
http://lists.jboss.org/pipermail/keycloak-user/2016-October/007935.html

and bug report:
https://issues.jboss.org/browse/KEYCLOAK-3731

If you're trying to do IDP-initiated SSO starting from the external IDP,
that's not something we support.
It seems that that’s exactly what we are attempting. Why shouldn’t that be
supported and what does that mean for my bug report (which was already
worked on)?

On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>> wrote:

So, you:

1. visit the IDP-initiated SSO URL on keycloak

2. Select an external IDP to login from on the Keycloak login page

3. Login to the external IDP

4. Failure?

Sounds like a bug.

If you're trying to do IDP-initiated SSO starting from the external IDP,
that's not something we support.


On 11/11/16 11:13 PM, Josh Cain wrote:
Hi all,

I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
against the Keycloak broker service.  However, it's failing every time
on the IdentityBrokerService.authenticated(..) method.  I get the
following error on the console:

22:05:04,945 ERROR [org.keycloak.services] (default task-61)
staleCodeMessage

This method seems to think that clients should *always* visit the
Keycloak IDP before returning with a SAML assertion, a the failure to
retrieve an associated client session is causing a serious issue.  I am
able to successfully use the identity brokering functions if I use an
SP-initiated flow, so I know the brokering piece is configured
correctly.

Is this a limitation in the current implementation, or do I have
something configured incorrectly?


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list