[keycloak-user] IdP initiated SSO with Keycloak

Michael Anthon michael.anthon at infoview.com.au
Thu Mar 23 20:49:29 EDT 2017


We are attempting to implement IdP initiated SSO, similar to what is outlined in this blog... https://blog.auth360.net/2012/12/16/saml-2-0-idp-initiated-sign-on-with-relaystate-in-adfs-2-0/

The main difference is that our SP is using openid to authenticate with Keycloak.

So the configuration is like this...

ADFS(fs.example.com) <---SAML---> Keycloak(kc.example.com) <---openid--->SP(app.example.com)

The SP is set up as a client in a Realm in Keycloak and the ADFS is set up as an identity provider.

In ADFS, Keycloak is set up as a Relying Party.

The intent here is that we can provide the end user with a URL that they can access that will send them to their ADFS portal to login (if required) and have them end up in the application without them having to do anything in Keycloak.

The URL according to the article will be something like 
https://fs.example.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F%252Fkc.example.com%252Fauth%252Frealms%252Frealmid%26RelayState%3Dhttps%253A%252F%252Fapp.example.com%252F

I have been able to set up a standard IdP login via these servers however the situation is that we will have multiple clients accessing the system and we are not allowed to expose who our clients are so we will need to edit the login templates and remove the IdP buttons which is why I'm looking for and IdP initiated solution.

Currently when I attempt this I don't end up in the right place in Keycloak but instead end up at https://kc.example.com/auth/realms/realmid/broker/infoview/endpoint

I'm wondering if anyone has done this and has any pointers on configuring this correctly (or indeed if I'm barking up the wrong tree and it's not possible)

Thanks,
Michael



More information about the keycloak-user mailing list