[keycloak-user] IdP initiated SSO to Account page?

[Mark Pardijs]

Hi,

I want to give my users the possibility to edit their account settings from an federated IdP. Is there a way to do an IdP initiated SSO from a federated IdP which links directly to the account page at {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account?

As far as I can see, I have to do the following steps:


  1.  In the ‘master’ keycloak: add a new SAML client with URL {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account. (Since there’s no such thing as ‘OpenID Connect IdP initiated SSO as far as I can see)
  2.  In the federated IdP: send a SAMLResponse to http://{KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/broker/${fedIdP}/endpoint/clients/${CLIENT_ID}

The login goes successfully, but after login I see a 403 "Failed executing POST /realms/master/account” error, since the account page doesn’t accept POST requests. If I refresh the browser window which is pointing at the account page all is well, since this last request is a GET request. (See http://lists.jboss.org/pipermail/keycloak-user/2014-October/000989.html for the same question about POST/GET)

I could make a third client with as only function showing a link to the account page but don’t know if this is the right way to go.