[keycloak-user] Is An IDP - Initiated SSO to Broker Possible?

Bill Burke bburke at redhat.com
Mon Nov 14 09:32:06 EST 2016


This is not a bug, its a feature request.  The IDP-SSO-Initiated link is 
not set up to process SAML requests.  I didn't even think that people 
would want to do a broker initiated sso.


On 11/14/16 9:23 AM, Josh Cain wrote:
> @Chris - yep, exactly the same thing.  Thanks for pointing me to the
> right bug, I'll continue discussion there!
> On Mon, 2016-11-14 at 09:36 +0000, Chris Brandhorst wrote:
>> Let’s forget about FOOBAR. From my JIRA ticket, I’m trying an IdP-
>> initiated SSO from IdP A to
>> IdP B (after which we can do all sorts of things with the
>> authenticators).
>>
>> Stian called this a bug (set for 2.4.1.Final now), but it seems
>> you’re saying this is not supported?
>> This causes me some confusion, can you clarify?
>>
>> Thanks,
>> Chris
>>
>>> On 13 Nov 2016, at 15:49, Bill Burke <bburke at redhat.com> wrote:
>>>
>>> So, you have Application FOOBAR which is secured by IDP 'B'.  You
>>> want
>>> to register an IDP initiated SSO link on IDP 'A' that redirects to
>>> IDP
>>> 'B' that redirects to Application FOOBAR?  That's not something we
>>> support at the moment.
>>>
>>>
>>>
>>> On 11/13/16 9:16 AM, Chris Brandhorst wrote:
>>>> Isn’t this like my question:
>>>> http://lists.jboss.org/pipermail/keycloak-user/2016-October/00793
>>>> 5.html
>>>>
>>>> and bug report:
>>>> https://issues.jboss.org/browse/KEYCLOAK-3731
>>>>
>>>> If you're trying to do IDP-initiated SSO starting from the
>>>> external IDP,
>>>> that's not something we support.
>>>> It seems that that’s exactly what we are attempting. Why
>>>> shouldn’t that be
>>>> supported and what does that mean for my bug report (which was
>>>> already
>>>> worked on)?
>>>>
>>>> On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bb
>>>> urke at redhat.com>> wrote:
>>>>
>>>> So, you:
>>>>
>>>> 1. visit the IDP-initiated SSO URL on keycloak
>>>>
>>>> 2. Select an external IDP to login from on the Keycloak login
>>>> page
>>>>
>>>> 3. Login to the external IDP
>>>>
>>>> 4. Failure?
>>>>
>>>> Sounds like a bug.
>>>>
>>>> If you're trying to do IDP-initiated SSO starting from the
>>>> external IDP,
>>>> that's not something we support.
>>>>
>>>>
>>>> On 11/11/16 11:13 PM, Josh Cain wrote:
>>>> Hi all,
>>>>
>>>> I'm attempting an IDP-initiated SSO (via unsolicited SAML
>>>> Request)
>>>> against the Keycloak broker service.  However, it's failing every
>>>> time
>>>> on the IdentityBrokerService.authenticated(..) method.  I get the
>>>> following error on the console:
>>>>
>>>> 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
>>>> staleCodeMessage
>>>>
>>>> This method seems to think that clients should *always* visit the
>>>> Keycloak IDP before returning with a SAML assertion, a the
>>>> failure to
>>>> retrieve an associated client session is causing a serious
>>>> issue.  I am
>>>> able to successfully use the identity brokering functions if I
>>>> use an
>>>> SP-initiated flow, so I know the brokering piece is configured
>>>> correctly.
>>>>
>>>> Is this a limitation in the current implementation, or do I have
>>>> something configured incorrectly?
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.or
>>>> g>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list