[keycloak-user] IdP initiated SSO to Account page?
Mark Pardijs
mark.pardijs at topicus.nl
Tue Feb 7 04:37:38 EST 2017
I see what you mean by the idp_hint, but wouldn’t this exclude the IdP initiated SSO possibility? My use case is ‘User logs in to IdP ‘federated', IdP ‘federated' does an IdP initiated SSO to IdP ‘master’ with as ‘client’ the account page as documented here: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html. This works with a ‘normal’ client, but not for the account client.
Op 7 feb. 2017, om 10:04 heeft Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> het volgende geschreven:
The account page doesn't support SAML, only OIDC.
To achieve what you want we'd have to add idp_hint query param support to the account page and make it include that to it's authentication request. Would be pretty simply to do. You can create a JIRA feature request for it. Even better if it came with a PR including tests.
On 6 February 2017 at 16:41, Mark Pardijs <mark.pardijs at topicus.nl<mailto:mark.pardijs at topicus.nl>> wrote:
Hi,
I want to give my users the possibility to edit their account settings from an federated IdP. Is there a way to do an IdP initiated SSO from a federated IdP which links directly to the account page at {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account?
As far as I can see, I have to do the following steps:
1. In the ‘master’ keycloak: add a new SAML client with URL {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account. (Since there’s no such thing as ‘OpenID Connect IdP initiated SSO as far as I can see)
2. In the federated IdP: send a SAMLResponse to http://{KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/broker/${fedIdP}/endpoint/clients/${CLIENT_ID}
The login goes successfully, but after login I see a 403 "Failed executing POST /realms/master/account” error, since the account page doesn’t accept POST requests. If I refresh the browser window which is pointing at the account page all is well, since this last request is a GET request. (See http://lists.jboss.org/pipermail/keycloak-user/2014-October/000989.html for the same question about POST/GET)
I could make a third client with as only function showing a link to the account page but don’t know if this is the right way to go.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list