[keycloak-user] IDP Initiated Login
Bill Burke
bburke at redhat.com
Fri Feb 24 09:09:38 EST 2017
On 2/23/17 9:14 PM, John D. Ament wrote:
> After I sent this email, it dawned on me what #4 was. I was able to
> get IDP initiated working. Here's what my setup looks like. So I'm
> interested, is this correct, is this too much?
>
> - Create an IDP for Okta.
>
> - App Client:
> - This represents the real application, receiving the final assertion.
> - Client Protocol: SAML
> - IDP Initiated SSO Name: some-value
> - Assertion Consumer Service POST Binding URL:
> http://myapp/saml (the /saml comes from the wildfly SAML adapter)
>
> Within Okta, I'm entering a URL like this:
>
> http://mykeycloak/auth/realms/<<realm>>/broker/<<alias>>/endpoint/clients/<<some-value>>
>
> Where:
>
> realm: your realm, e.g. tenant1 in my case
> alias: the value of the "alias" field from your IDP
> some-value: the IDP Initiated SSO Name value from above
>
> After doing this, I'm able to confirm that the principal is coming
> from Keycloak properly. I'm assuming based on this, I can only do
> this via the SAML adapter, not the OIDC connector.
>
Correct, no OIDC. Reason? Its the OAuth protocol. OAuth only allows
the client to initiate authentication.
Bill
More information about the keycloak-user
mailing list