[keycloak-user] Identity broker login SAMLResponse handling
Bill Burke
bburke at redhat.com
Sat Jul 29 10:06:07 EDT 2017
I don't understand what the error is. Your external IDP sends a login
response to
https://{root}/auth/realms/{realm}/broker/external-idp-name/endpoint/clients/saml-idp-initiated
And there is an infinite loop?
On 7/29/17 5:03 AM, Phillip Fleischer wrote:
> Hi,
>
> We’re using keycloak for several authorization use cases already and are attempting to prototype some identity brokering with an external IdP application.
>
> Our current configuration the user is logged in the external IdP which sends a POST with the SAMLResponse directly to our broker. It looks the appropriate solution is idp initiated configuration in the examples.
>
> broker: external-idp-name
> client and url name: saml-idp-initiated
>
> https://{root}/auth/realms/{realm}/broker/external-idp-name/endpoint/clients/saml-idp-initiated
>
>
> The challenge is that our client the posts yet another SAMLResponse either back to our broker or to the realm saml service.
>
> These result in following results...
>
> 1 - {realmUrl}/broker/external-idp-name/endpoint/clients/saml-idp-initiated
> |—- infinite redirect loop POST SAMLResponses
> 2 - {realmUrl}/broker/{broker}/endpoint
> |—- handleSamlResponse fails to validate “code” set to “relayState”.
> 3 - {realmUrl}/protocol/saml
> |—- handles SAMLResponses as logout and fails.
>
>
>
>
> It feels like we’re either totally missing the mark or this is a use case totally
> not supported that we’re attempting to kluge together. Anyone have thoughts where we’re going conceptually wrong??
>
>
> — Phil
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list