[keycloak-user] IDP Initiated Login
Bill Burke
bburke at redhat.com
Thu Feb 23 14:54:04 EST 2017
Maybe I should explain brokering?
If you want Keycloak to delegate authentication to a different IDP, then
you need to set up an Identity Provider. If you have a child IDP that
is delegating authentication to Keycloak the you must set up a client
within Keycloak. This client represents the connection to the child
IDP. Does that shed any light on things?
Is Keycloak delegating authentication to Okra? Or is Okra delegating to
Keycloak?
Thanks,
Bill
On 2/23/17 12:54 PM, John D. Ament wrote:
> :-)
>
> Well it seems not needed. Or we can worry about that later.
>
> - Is the client I'm setting up for my app a SAML client or OIDC
> client? Or does it not matter?
> - When I point Okta to my SAML IDP endpoint (
> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint
> <http://sso-poc.aws.stratas.net/auth/realms/tenant1/broker/okta/endpoint> )
> I'm getting " WE'RE SORRY ... This page is no longer valid, please go
> back to your application and login again" - this kind of makes sense,
> I don't see how I'm telling the Okta IDP which app to forward to.
>
> John
>
> On Thu, Feb 23, 2017 at 12:45 PM Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> Hmmm....somebody removed this config option....wtf...
>
>
> On 2/23/17 12:11 PM, John D. Ament wrote:
>> Bill,
>>
>> Thanks. How do i set "Automatic Delegate"?
>>
>> John
>>
>> On Thu, Feb 23, 2017 at 10:53 AM Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>> Yes, that would be an infinite loop as you are configuring
>> Keycloak to delegate authentication to Okta and Okta to
>> delegate to keycloak. You'd have to:
>>
>> 1. Set up a client for your application in Keycloak
>>
>> 2. Set up a broker in Keycloak that points to Okta and sets
>> that as the automatic delegate. This means no keycloak login
>> screen would be shown and it would delegate directly to Okta
>> for authentication.
>>
>> 3. Log into Okta
>>
>> 4. Get to Okta app screen.
>>
>> 5. Click on app link
>>
>> 6. App redirects to Keycloak for authentication
>>
>> 7. Keycloak redirects automatically to Okta
>>
>> 8. Okta sees you are already logged in
>>
>> 9. Redirects back to Keycloak
>>
>> 10. Creates SAML assertion or OIDC token for client
>>
>> 11. Redirects back to app.
>>
>> On 2/23/17 10:10 AM, John D. Ament wrote:
>>> Effectively, yes.
>>>
>>> I just got *something* configured, though it resulted in an
>>> infinite loop.
>>>
>>> 1. Created a SAML client for my application, with the
>>> following custom settings:
>>> - Client ID: my-saml
>>> - IDP Initiated SSO URL Name: myapp-saml
>>> - Assertion Consumer Service POST Binding URL:
>>> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml
>>>
>>> 2. Created a SAML IDP for Okta:
>>> - SSO URL:
>>> https://myokta/app/oktaaccount_testkeycloak_1/exk9n6rr5eSDbwe4Y0h7/sso/saml
>>>
>>> 3. In Okta, set the SSO URL to
>>> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml
>>>
>>> This results in an infinite loop of URLs that look like:
>>> http://mykeycloak/auth/realms/tenant1/login-actions/required-action?code=someUUIDLikeValue
>>>
>>> - John
>>>
>>> On Thu, Feb 23, 2017 at 9:57 AM Bill Burke
>>> <bburke at redhat.com <mailto:bburke at redhat.com>> wrote:
>>>
>>> I'm sorry, I only read the top half of the email thread.
>>>
>>> Is this what you want?
>>>
>>> 1. User logs into Okta
>>>
>>> 2. User clicks on app link in Okta
>>>
>>> 3. This app is actually secured by Keycloak, not Okta
>>>
>>> 4. You want some brokering done here between Keycloak
>>> and Okta.
>>>
>>> Is that it?
>>>
>>>
>>> On 2/23/17 6:06 AM, John D. Ament wrote:
>>>> Right, at this point I'm not thinking about OIDC any
>>>> longer as my connector. Does what I described make
>>>> sense as things to be done?
>>>>
>>>> On Wed, Feb 22, 2017 at 11:23 PM Bill Burke
>>>> <bburke at redhat.com <mailto:bburke at redhat.com>> wrote:
>>>>
>>>> IDP Initiated SSO means that the login is
>>>> unsolicited,meaning that the application did not
>>>> initiate the login. OAuth protocol (and thus OIDC)
>>>> does not support this. The application has to
>>>> initiate the login. I'm not sure exactly what
>>>> you're trying to do, but if you just want a page
>>>> where you can see a list of apps that you can
>>>> visit, you can just create a simple static web page
>>>> with links to your apps formatted and pretty as you
>>>> want it.
>>>>
>>>> Some IDPs or apps, Saleforce.com I think, require
>>>> SAML IDP Initiated SSO and don't support the
>>>> regular login protocol.
>>>>
>>>>
>>>> On 2/22/17 10:18 PM, John D. Ament wrote:
>>>>> Ok, I must have fat fingered there at the end.
>>>>> Sorry.
>>>>>
>>>>> With that said, assuming that I want IDP initiated
>>>>> login, it seems like what I have to do is:
>>>>>
>>>>> - Create a SAML client in Keycloak for my application.
>>>>> - Follow the IDP initiated flow from
>>>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
>>>>> - Point my IDP to the endpoint that gets generated
>>>>> in here.
>>>>>
>>>>> As a result, it seems like I don't have to even
>>>>> create a SAML IDP in Keycloak, unless that somehow
>>>>> gets used for SP initiated.
>>>>>
>>>>> John
>>>>>
>>>>> On Wed, Feb 22, 2017 at 10:15 PM John D. Ament
>>>>> <john.d.ament at gmail.com
>>>>> <mailto:john.d.ament at gmail.com>> wrote:
>>>>>
>>>>> This is the part that's confusing me. What do
>>>>> you mean by a "URL somewhere that links to
>>>>> your app which will then redirect to keycloak"?
>>>>>
>>>>> Are you talking about triggering the inbound
>>>>> IDP initiated by first calling into my app?
>>>>>
>>>>> If I look at (Okta for instance) they actually
>>>>> have a portal-like site that users can
>>>>> leverage to directly link to their apps. The
>>>>> links generated here are doing IDP initiated
>>>>> SSO, by triggering SAML in the broker then the
>>>>> broker is expected to forward to the client
>>>>> (and mind you, I know very little about SAML,
>>>>> but this is how I'm seeing it behave in the
>>>>> browser).
>>>>>
>>>>> With that said, assum
>>>>>
>>>>>
>>>>> On Wed, Feb 22, 2017 at 9:50 PM Bill Burke
>>>>> <bburke at redhat.com <mailto:bburke at redhat.com>>
>>>>> wrote:
>>>>>
>>>>> OIDC/OAuth doesn't have an IDP initiated
>>>>> protocol. You'll have to
>>>>> create a URL somewhere that links to your
>>>>> app which will then redirect
>>>>> to Keycloak.
>>>>>
>>>>>
>>>>> On 2/22/17 8:23 PM, John D. Ament wrote:
>>>>> > Looks like I answered half of my question -
>>>>> >
>>>>> https://issues.jboss.org/browse/KEYCLOAK-4454
>>>>> >
>>>>> > Seems like it will only work if I'm
>>>>> using SAML.
>>>>> >
>>>>> > John
>>>>> >
>>>>> > On Wed, Feb 22, 2017 at 5:18 PM John D.
>>>>> Ament <john.d.ament at gmail.com
>>>>> <mailto:john.d.ament at gmail.com>>
>>>>> > wrote:
>>>>> >
>>>>> >> Changing the subject to be a bit
>>>>> clearer about the problems.
>>>>> >>
>>>>> >> I think I'm understanding a bit
>>>>> further. when reading through
>>>>> >>
>>>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
>>>>> >>
>>>>> >> - It seems like my application has to
>>>>> be SAML. I cannot do an OIDC based
>>>>> >> solution.
>>>>> >> - First thing I have to do is add IDP
>>>>> Initiated SSO URL Name to my
>>>>> >> application.
>>>>> >> - The confusing part is about if my
>>>>> application requires... this seems a
>>>>> >> bit odd, since I'm using the Keycloak
>>>>> adapter but sure.
>>>>> >> - The part that's missing is what gets
>>>>> setup in the actual broker. You
>>>>> >> mention IDP Initiated SSO URL Name but
>>>>> I don't see that field in IDPs. In
>>>>> >> general these look like Keycloak
>>>>> specific parameters.
>>>>> >>
>>>>> >> Any thoughts?
>>>>> >>
>>>>> >> John
>>>>> >>
>>>>> >> On Mon, Feb 20, 2017 at 7:18 AM John D.
>>>>> Ament <john.d.ament at gmail.com
>>>>> <mailto:john.d.ament at gmail.com>>
>>>>> >> wrote:
>>>>> >>
>>>>> >> Ok, so I was able to get SP initiated
>>>>> working fine. I had only tried IDP
>>>>> >> when I sent this mail out.
>>>>> >>
>>>>> >> I'm going through this doc, and its not
>>>>> clear to me on a few areas:
>>>>> >>
>>>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
>>>>> >>
>>>>> >> - I have my application (the SP) and
>>>>> the SAML IDP (Okta in this case). I
>>>>> >> have a link on the okta portal to login
>>>>> automatically to my SP.
>>>>> >> - I think the webpage is saying that
>>>>> this only works if I'm using the SAML
>>>>> >> connector for keycloak, is that accurate?
>>>>> >> - All of my Okta settings are from
>>>>> getting SP initiated working. Do any
>>>>> >> of those need to change?
>>>>> >> - Do I in fact setup Okta as a SAML
>>>>> client in Keycloak?
>>>>> >>
>>>>> >> John
>>>>> >>
>>>>> >>
>>>>> >> On Sun, Feb 19, 2017 at 8:47 PM John D.
>>>>> Ament <john.d.ament at gmail.com
>>>>> <mailto:john.d.ament at gmail.com>>
>>>>> >> wrote:
>>>>> >>
>>>>> >> Hi
>>>>> >>
>>>>> >> Just wondering, has anyone setup
>>>>> Keycloak w/ Okta? Every time I try to
>>>>> >> authenticate (both SP initiated and IdP
>>>>> initiated) it fails with this error
>>>>> >>
>>>>> >> 01:40:54,626 WARN [org.keycloak.events]
>>>>> (default task-7)
>>>>> >> type=IDENTITY_PROVIDER_LOGIN_ERROR,
>>>>> realmId=tenant1, clientId=null,
>>>>> >> userId=null, ipAddress=172.17.0.1,
>>>>> error=staleCodeMessage
>>>>> >> 01:40:54,627 ERROR
>>>>> [org.keycloak.services.resources.IdentityBrokerService]
>>>>> >> (default task-7) staleCodeMessage
>>>>> >>
>>>>> >> I suspect its a setup issue on my side,
>>>>> so was hoping someone else has
>>>>> >> tried this and can give tips. I even
>>>>> tried the import feature, no luck.
>>>>> >>
>>>>> >> John
>>>>> >>
>>>>> >>
>>>>> >
>>>>> _______________________________________________
>>>>> > keycloak-user mailing list
>>>>> > keycloak-user at lists.jboss.org
>>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>> >
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list