[keycloak-user] Is An IDP - Initiated SSO to Broker Possible?
Chris Brandhorst
Chris.Brandhorst at topicus.nl
Mon Nov 14 04:36:34 EST 2016
Let’s forget about FOOBAR. From my JIRA ticket, I’m trying an IdP-initiated SSO from IdP A to
IdP B (after which we can do all sorts of things with the authenticators).
Stian called this a bug (set for 2.4.1.Final now), but it seems you’re saying this is not supported?
This causes me some confusion, can you clarify?
Thanks,
Chris
> On 13 Nov 2016, at 15:49, Bill Burke <bburke at redhat.com> wrote:
>
> So, you have Application FOOBAR which is secured by IDP 'B'. You want
> to register an IDP initiated SSO link on IDP 'A' that redirects to IDP
> 'B' that redirects to Application FOOBAR? That's not something we
> support at the moment.
>
>
>
> On 11/13/16 9:16 AM, Chris Brandhorst wrote:
>> Isn’t this like my question:
>> http://lists.jboss.org/pipermail/keycloak-user/2016-October/007935.html
>>
>> and bug report:
>> https://issues.jboss.org/browse/KEYCLOAK-3731
>>
>> If you're trying to do IDP-initiated SSO starting from the external IDP,
>> that's not something we support.
>> It seems that that’s exactly what we are attempting. Why shouldn’t that be
>> supported and what does that mean for my bug report (which was already
>> worked on)?
>>
>> On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>> wrote:
>>
>> So, you:
>>
>> 1. visit the IDP-initiated SSO URL on keycloak
>>
>> 2. Select an external IDP to login from on the Keycloak login page
>>
>> 3. Login to the external IDP
>>
>> 4. Failure?
>>
>> Sounds like a bug.
>>
>> If you're trying to do IDP-initiated SSO starting from the external IDP,
>> that's not something we support.
>>
>>
>> On 11/11/16 11:13 PM, Josh Cain wrote:
>> Hi all,
>>
>> I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
>> against the Keycloak broker service. However, it's failing every time
>> on the IdentityBrokerService.authenticated(..) method. I get the
>> following error on the console:
>>
>> 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
>> staleCodeMessage
>>
>> This method seems to think that clients should *always* visit the
>> Keycloak IDP before returning with a SAML assertion, a the failure to
>> retrieve an associated client session is causing a serious issue. I am
>> able to successfully use the identity brokering functions if I use an
>> SP-initiated flow, so I know the brokering piece is configured
>> correctly.
>>
>> Is this a limitation in the current implementation, or do I have
>> something configured incorrectly?
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list