[keycloak-user] IDP Initiated Login
Bill Burke
bburke at redhat.com
Thu Feb 23 12:45:04 EST 2017
Hmmm....somebody removed this config option....wtf...
On 2/23/17 12:11 PM, John D. Ament wrote:
> Bill,
>
> Thanks. How do i set "Automatic Delegate"?
>
> John
>
> On Thu, Feb 23, 2017 at 10:53 AM Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> Yes, that would be an infinite loop as you are configuring
> Keycloak to delegate authentication to Okta and Okta to delegate
> to keycloak. You'd have to:
>
> 1. Set up a client for your application in Keycloak
>
> 2. Set up a broker in Keycloak that points to Okta and sets that
> as the automatic delegate. This means no keycloak login screen
> would be shown and it would delegate directly to Okta for
> authentication.
>
> 3. Log into Okta
>
> 4. Get to Okta app screen.
>
> 5. Click on app link
>
> 6. App redirects to Keycloak for authentication
>
> 7. Keycloak redirects automatically to Okta
>
> 8. Okta sees you are already logged in
>
> 9. Redirects back to Keycloak
>
> 10. Creates SAML assertion or OIDC token for client
>
> 11. Redirects back to app.
>
> On 2/23/17 10:10 AM, John D. Ament wrote:
>> Effectively, yes.
>>
>> I just got *something* configured, though it resulted in an
>> infinite loop.
>>
>> 1. Created a SAML client for my application, with the following
>> custom settings:
>> - Client ID: my-saml
>> - IDP Initiated SSO URL Name: myapp-saml
>> - Assertion Consumer Service POST Binding URL:
>> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml
>>
>> 2. Created a SAML IDP for Okta:
>> - SSO URL:
>> https://myokta/app/oktaaccount_testkeycloak_1/exk9n6rr5eSDbwe4Y0h7/sso/saml
>>
>> 3. In Okta, set the SSO URL to
>> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml
>>
>> This results in an infinite loop of URLs that look like:
>> http://mykeycloak/auth/realms/tenant1/login-actions/required-action?code=someUUIDLikeValue
>>
>> - John
>>
>> On Thu, Feb 23, 2017 at 9:57 AM Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>> I'm sorry, I only read the top half of the email thread.
>>
>> Is this what you want?
>>
>> 1. User logs into Okta
>>
>> 2. User clicks on app link in Okta
>>
>> 3. This app is actually secured by Keycloak, not Okta
>>
>> 4. You want some brokering done here between Keycloak and Okta.
>>
>> Is that it?
>>
>>
>> On 2/23/17 6:06 AM, John D. Ament wrote:
>>> Right, at this point I'm not thinking about OIDC any longer
>>> as my connector. Does what I described make sense as things
>>> to be done?
>>>
>>> On Wed, Feb 22, 2017 at 11:23 PM Bill Burke
>>> <bburke at redhat.com <mailto:bburke at redhat.com>> wrote:
>>>
>>> IDP Initiated SSO means that the login is
>>> unsolicited,meaning that the application did not
>>> initiate the login. OAuth protocol (and thus OIDC) does
>>> not support this. The application has to initiate the
>>> login. I'm not sure exactly what you're trying to do,
>>> but if you just want a page where you can see a list of
>>> apps that you can visit, you can just create a simple
>>> static web page with links to your apps formatted and
>>> pretty as you want it.
>>>
>>> Some IDPs or apps, Saleforce.com I think, require SAML
>>> IDP Initiated SSO and don't support the regular login
>>> protocol.
>>>
>>>
>>> On 2/22/17 10:18 PM, John D. Ament wrote:
>>>> Ok, I must have fat fingered there at the end. Sorry.
>>>>
>>>> With that said, assuming that I want IDP initiated
>>>> login, it seems like what I have to do is:
>>>>
>>>> - Create a SAML client in Keycloak for my application.
>>>> - Follow the IDP initiated flow from
>>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
>>>> - Point my IDP to the endpoint that gets generated in here.
>>>>
>>>> As a result, it seems like I don't have to even create
>>>> a SAML IDP in Keycloak, unless that somehow gets used
>>>> for SP initiated.
>>>>
>>>> John
>>>>
>>>> On Wed, Feb 22, 2017 at 10:15 PM John D. Ament
>>>> <john.d.ament at gmail.com
>>>> <mailto:john.d.ament at gmail.com>> wrote:
>>>>
>>>> This is the part that's confusing me. What do you
>>>> mean by a "URL somewhere that links to your app
>>>> which will then redirect to keycloak"?
>>>>
>>>> Are you talking about triggering the inbound IDP
>>>> initiated by first calling into my app?
>>>>
>>>> If I look at (Okta for instance) they actually have
>>>> a portal-like site that users can leverage to
>>>> directly link to their apps. The links generated
>>>> here are doing IDP initiated SSO, by triggering
>>>> SAML in the broker then the broker is expected to
>>>> forward to the client (and mind you, I know very
>>>> little about SAML, but this is how I'm seeing it
>>>> behave in the browser).
>>>>
>>>> With that said, assum
>>>>
>>>>
>>>> On Wed, Feb 22, 2017 at 9:50 PM Bill Burke
>>>> <bburke at redhat.com <mailto:bburke at redhat.com>> wrote:
>>>>
>>>> OIDC/OAuth doesn't have an IDP initiated
>>>> protocol. You'll have to
>>>> create a URL somewhere that links to your app
>>>> which will then redirect
>>>> to Keycloak.
>>>>
>>>>
>>>> On 2/22/17 8:23 PM, John D. Ament wrote:
>>>> > Looks like I answered half of my question -
>>>> > https://issues.jboss.org/browse/KEYCLOAK-4454
>>>> >
>>>> > Seems like it will only work if I'm using SAML.
>>>> >
>>>> > John
>>>> >
>>>> > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament
>>>> <john.d.ament at gmail.com
>>>> <mailto:john.d.ament at gmail.com>>
>>>> > wrote:
>>>> >
>>>> >> Changing the subject to be a bit clearer
>>>> about the problems.
>>>> >>
>>>> >> I think I'm understanding a bit further.
>>>> when reading through
>>>> >>
>>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
>>>> >>
>>>> >> - It seems like my application has to be
>>>> SAML. I cannot do an OIDC based
>>>> >> solution.
>>>> >> - First thing I have to do is add IDP
>>>> Initiated SSO URL Name to my
>>>> >> application.
>>>> >> - The confusing part is about if my
>>>> application requires... this seems a
>>>> >> bit odd, since I'm using the Keycloak
>>>> adapter but sure.
>>>> >> - The part that's missing is what gets setup
>>>> in the actual broker. You
>>>> >> mention IDP Initiated SSO URL Name but I
>>>> don't see that field in IDPs. In
>>>> >> general these look like Keycloak specific
>>>> parameters.
>>>> >>
>>>> >> Any thoughts?
>>>> >>
>>>> >> John
>>>> >>
>>>> >> On Mon, Feb 20, 2017 at 7:18 AM John D.
>>>> Ament <john.d.ament at gmail.com
>>>> <mailto:john.d.ament at gmail.com>>
>>>> >> wrote:
>>>> >>
>>>> >> Ok, so I was able to get SP initiated
>>>> working fine. I had only tried IDP
>>>> >> when I sent this mail out.
>>>> >>
>>>> >> I'm going through this doc, and its not
>>>> clear to me on a few areas:
>>>> >>
>>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
>>>> >>
>>>> >> - I have my application (the SP) and the
>>>> SAML IDP (Okta in this case). I
>>>> >> have a link on the okta portal to login
>>>> automatically to my SP.
>>>> >> - I think the webpage is saying that this
>>>> only works if I'm using the SAML
>>>> >> connector for keycloak, is that accurate?
>>>> >> - All of my Okta settings are from getting
>>>> SP initiated working. Do any
>>>> >> of those need to change?
>>>> >> - Do I in fact setup Okta as a SAML client
>>>> in Keycloak?
>>>> >>
>>>> >> John
>>>> >>
>>>> >>
>>>> >> On Sun, Feb 19, 2017 at 8:47 PM John D.
>>>> Ament <john.d.ament at gmail.com
>>>> <mailto:john.d.ament at gmail.com>>
>>>> >> wrote:
>>>> >>
>>>> >> Hi
>>>> >>
>>>> >> Just wondering, has anyone setup Keycloak w/
>>>> Okta? Every time I try to
>>>> >> authenticate (both SP initiated and IdP
>>>> initiated) it fails with this error
>>>> >>
>>>> >> 01:40:54,626 WARN [org.keycloak.events]
>>>> (default task-7)
>>>> >> type=IDENTITY_PROVIDER_LOGIN_ERROR,
>>>> realmId=tenant1, clientId=null,
>>>> >> userId=null, ipAddress=172.17.0.1,
>>>> error=staleCodeMessage
>>>> >> 01:40:54,627 ERROR
>>>> [org.keycloak.services.resources.IdentityBrokerService]
>>>> >> (default task-7) staleCodeMessage
>>>> >>
>>>> >> I suspect its a setup issue on my side, so
>>>> was hoping someone else has
>>>> >> tried this and can give tips. I even tried
>>>> the import feature, no luck.
>>>> >>
>>>> >> John
>>>> >>
>>>> >>
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>> >
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list