[keycloak-user] Is An IDP - Initiated SSO to Broker Possible?

Bill Burke bburke at redhat.com
Sun Nov 13 09:49:58 EST 2016


So, you have Application FOOBAR which is secured by IDP 'B'.  You want 
to register an IDP initiated SSO link on IDP 'A' that redirects to IDP 
'B' that redirects to Application FOOBAR?  That's not something we 
support at the moment.



On 11/13/16 9:16 AM, Chris Brandhorst wrote:
> Isn’t this like my question:
> http://lists.jboss.org/pipermail/keycloak-user/2016-October/007935.html
>
> and bug report:
> https://issues.jboss.org/browse/KEYCLOAK-3731
>
> If you're trying to do IDP-initiated SSO starting from the external IDP,
> that's not something we support.
> It seems that that’s exactly what we are attempting. Why shouldn’t that be
> supported and what does that mean for my bug report (which was already
> worked on)?
>
> On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>> wrote:
>
> So, you:
>
> 1. visit the IDP-initiated SSO URL on keycloak
>
> 2. Select an external IDP to login from on the Keycloak login page
>
> 3. Login to the external IDP
>
> 4. Failure?
>
> Sounds like a bug.
>
> If you're trying to do IDP-initiated SSO starting from the external IDP,
> that's not something we support.
>
>
> On 11/11/16 11:13 PM, Josh Cain wrote:
> Hi all,
>
> I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
> against the Keycloak broker service.  However, it's failing every time
> on the IdentityBrokerService.authenticated(..) method.  I get the
> following error on the console:
>
> 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
> staleCodeMessage
>
> This method seems to think that clients should *always* visit the
> Keycloak IDP before returning with a SAML assertion, a the failure to
> retrieve an associated client session is causing a serious issue.  I am
> able to successfully use the identity brokering functions if I use an
> SP-initiated flow, so I know the brokering piece is configured
> correctly.
>
> Is this a limitation in the current implementation, or do I have
> something configured incorrectly?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list