[keycloak-user] Is there a way to use an OIDC IdP without any backchannel communication involved (like SAML 2.0 Web Browser SSO with HTTP-Post Binding)

[May Marcus, Bedag]

Hi,

I'm looking into using Keycloak as a Broker in my SAAS platform to federate with foreign IdPs which aren't in my control.

So my scenario is that:
1.      Customer navigates to his SP in my SAAS platform
2.      SP redirects him to my Keycloak in my SAAS platform
3.      Customer choses to login in with his IdP
4.      Keycloak redirects Customer to the login page of his IdP
5.      Customer accomplishes login to his IdP
6.      IdP redirects the Customer to my Keycloak
7.      My Keycloak provisions the user
8.      My Keycloak redirects the user to his SP in my SAAS platform
9.      SP accepts the login

For a proof of concept I tried to implement this scenario with two Keycloak instances, which aren't and shouldn't be able to communicate with each other. The only thing that should communicate with both Keycloak instances is the user agent, because I don't want the hassle that I have to establish a for example two-way-ssl connection between my SAAS Keycloak and foreign IdP.

My first attempt was using OpenID Connect, but then my SAAS Keycloak tried to get an access_token from the other Keycloak in step 7. That didn't work (as I expected and intended). So my question is: Is there a way to use an OIDC IdP without any backchannel communication involved?

My second attempt was using SAML 2.0 Web Browser SSO with HTTP-Post Binding. That did work fine.

Best regards
Marcus