[keycloak-user] Is An IDP - Initiated SSO to Broker Possible?

Chris Brandhorst Chris.Brandhorst at topicus.nl
Mon Nov 14 09:50:07 EST 2016 

Well, it seems we do :-)

In our case we have an existing desktop application with its own user management
(IdP A) which posts signed SAML responses to our webapplication.

We would like to migrate to an IdP setup using KeyCloak, with our webapplication
as a client of KeyCloak (IdP B). Since IdP A is a desktop application, only the IdP-
initiated flow is viable.


> On 14 Nov 2016, at 15:32, Bill Burke <bburke at redhat.com> wrote:
> 
> This is not a bug, its a feature request.  The IDP-SSO-Initiated link is 
> not set up to process SAML requests.  I didn't even think that people 
> would want to do a broker initiated sso.
> 
> 
> On 11/14/16 9:23 AM, Josh Cain wrote:
>> @Chris - yep, exactly the same thing.  Thanks for pointing me to the
>> right bug, I'll continue discussion there!
>> On Mon, 2016-11-14 at 09:36 +0000, Chris Brandhorst wrote:
>>> Let’s forget about FOOBAR. From my JIRA ticket, I’m trying an IdP-
>>> initiated SSO from IdP A to
>>> IdP B (after which we can do all sorts of things with the
>>> authenticators).
>>> 
>>> Stian called this a bug (set for 2.4.1.Final now), but it seems
>>> you’re saying this is not supported?
>>> This causes me some confusion, can you clarify?
>>> 
>>> Thanks,
>>> Chris
>>> 
>>>> On 13 Nov 2016, at 15:49, Bill Burke <bburke at redhat.com> wrote:
>>>> 
>>>> So, you have Application FOOBAR which is secured by IDP 'B'.  You
>>>> want
>>>> to register an IDP initiated SSO link on IDP 'A' that redirects to
>>>> IDP
>>>> 'B' that redirects to Application FOOBAR?  That's not something we
>>>> support at the moment.
>>>> 
>>>> 
>>>> 
>>>> On 11/13/16 9:16 AM, Chris Brandhorst wrote:
>>>>> Isn’t this like my question:
>>>>> http://lists.jboss.org/pipermail/keycloak-user/2016-October/00793
>>>>> 5.html
>>>>> 
>>>>> and bug report:
>>>>> https://issues.jboss.org/browse/KEYCLOAK-3731
>>>>> 
>>>>> If you're trying to do IDP-initiated SSO starting from the
>>>>> external IDP,
>>>>> that's not something we support.
>>>>> It seems that that’s exactly what we are attempting. Why
>>>>> shouldn’t that be
>>>>> supported and what does that mean for my bug report (which was
>>>>> already
>>>>> worked on)?
>>>>> 
>>>>> On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bb
>>>>> urke at redhat.com>> wrote:
>>>>> 
>>>>> So, you:
>>>>> 
>>>>> 1. visit the IDP-initiated SSO URL on keycloak
>>>>> 
>>>>> 2. Select an external IDP to login from on the Keycloak login
>>>>> page
>>>>> 
>>>>> 3. Login to the external IDP
>>>>> 
>>>>> 4. Failure?
>>>>> 
>>>>> Sounds like a bug.
>>>>> 
>>>>> If you're trying to do IDP-initiated SSO starting from the
>>>>> external IDP,
>>>>> that's not something we support.
>>>>> 
>>>>> 
>>>>> On 11/11/16 11:13 PM, Josh Cain wrote:
>>>>> Hi all,
>>>>> 
>>>>> I'm attempting an IDP-initiated SSO (via unsolicited SAML
>>>>> Request)
>>>>> against the Keycloak broker service.  However, it's failing every
>>>>> time
>>>>> on the IdentityBrokerService.authenticated(..) method.  I get the
>>>>> following error on the console:
>>>>> 
>>>>> 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
>>>>> staleCodeMessage
>>>>> 
>>>>> This method seems to think that clients should *always* visit the
>>>>> Keycloak IDP before returning with a SAML assertion, a the
>>>>> failure to
>>>>> retrieve an associated client session is causing a serious
>>>>> issue.  I am
>>>>> able to successfully use the identity brokering functions if I
>>>>> use an
>>>>> SP-initiated flow, so I know the brokering piece is configured
>>>>> correctly.
>>>>> 
>>>>> Is this a limitation in the current implementation, or do I have
>>>>> something configured incorrectly?
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.or
>>>>> g>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> 
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list