[keycloak-user] Is An IDP - Initiated SSO to Broker Possible?
Josh Cain
jcain at redhat.com
Mon Nov 14 09:23:15 EST 2016
@Chris - yep, exactly the same thing. Thanks for pointing me to the
right bug, I'll continue discussion there!
On Mon, 2016-11-14 at 09:36 +0000, Chris Brandhorst wrote:
> Let’s forget about FOOBAR. From my JIRA ticket, I’m trying an IdP-
> initiated SSO from IdP A to
> IdP B (after which we can do all sorts of things with the
> authenticators).
>
> Stian called this a bug (set for 2.4.1.Final now), but it seems
> you’re saying this is not supported?
> This causes me some confusion, can you clarify?
>
> Thanks,
> Chris
>
> >
> > On 13 Nov 2016, at 15:49, Bill Burke <bburke at redhat.com> wrote:
> >
> > So, you have Application FOOBAR which is secured by IDP 'B'. You
> > want
> > to register an IDP initiated SSO link on IDP 'A' that redirects to
> > IDP
> > 'B' that redirects to Application FOOBAR? That's not something we
> > support at the moment.
> >
> >
> >
> > On 11/13/16 9:16 AM, Chris Brandhorst wrote:
> > >
> > > Isn’t this like my question:
> > > http://lists.jboss.org/pipermail/keycloak-user/2016-October/00793
> > > 5.html
> > >
> > > and bug report:
> > > https://issues.jboss.org/browse/KEYCLOAK-3731
> > >
> > > If you're trying to do IDP-initiated SSO starting from the
> > > external IDP,
> > > that's not something we support.
> > > It seems that that’s exactly what we are attempting. Why
> > > shouldn’t that be
> > > supported and what does that mean for my bug report (which was
> > > already
> > > worked on)?
> > >
> > > On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bb
> > > urke at redhat.com>> wrote:
> > >
> > > So, you:
> > >
> > > 1. visit the IDP-initiated SSO URL on keycloak
> > >
> > > 2. Select an external IDP to login from on the Keycloak login
> > > page
> > >
> > > 3. Login to the external IDP
> > >
> > > 4. Failure?
> > >
> > > Sounds like a bug.
> > >
> > > If you're trying to do IDP-initiated SSO starting from the
> > > external IDP,
> > > that's not something we support.
> > >
> > >
> > > On 11/11/16 11:13 PM, Josh Cain wrote:
> > > Hi all,
> > >
> > > I'm attempting an IDP-initiated SSO (via unsolicited SAML
> > > Request)
> > > against the Keycloak broker service. However, it's failing every
> > > time
> > > on the IdentityBrokerService.authenticated(..) method. I get the
> > > following error on the console:
> > >
> > > 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
> > > staleCodeMessage
> > >
> > > This method seems to think that clients should *always* visit the
> > > Keycloak IDP before returning with a SAML assertion, a the
> > > failure to
> > > retrieve an associated client session is causing a serious
> > > issue. I am
> > > able to successfully use the identity brokering functions if I
> > > use an
> > > SP-initiated flow, so I know the brokering piece is configured
> > > correctly.
> > >
> > > Is this a limitation in the current implementation, or do I have
> > > something configured incorrectly?
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.or
> > > g>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list