[keycloak-user] KEYCLOAK-4509 Support IDP Initiated to OIDC RP
Adrian Gonzalez
adr_gonzalez at yahoo.fr
Fri Feb 2 10:28:03 EST 2018
Hello,
I just created this PR : https://github.com/keycloak/keycloak/pull/4965.
This allows to use IDP initiated logins with OIDC Clients (for now it's limited to SAML clients).
My use case is:- My OIDC Client uses Keycloak as OIDC Authorization Server.- users use Okta as IDP.
Hence:* I register my OIDC Client in Okta portal using a url like http://<keycloak>/auth/realms/<realm>/broker/<idp-name>/endpoint/clients/<client-alias>). In a similar way to http://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated-login. * When a user access his Okta portal, he authenticates to Okta (no KC involved)* In Okta portal he see a list of application.* he click on OIDC Client app.* Okta initiates a SAML authentication with Keycloak.* once it succeeds, Keycloak calls a URL of OIDC Client.* the OIDC Client will initiate a OIDC flow with keycloak.* Keycloak will redirect back to the OIDC Client (using the same identity as the one initiated by Okta SAML flow)
My Client is registered in a way that Okta will
This work like :* the user is authenticated in external IDP.* external IDP dashboard page lists all available Client.* user clicks on a Client.* external IDP redirects to KC (using SAML).* KC validates the authentication.* KC redirects to the OIDC RP (IDP Initiated Target URL).* OIDC RP initiates a OIDC authentication flow, and redirects to KC* KC creates automatically a session and redirects back to OIDC RP.
The code is far from bullet-proof, I'll gladly accept some feedback.
Cheers,Adrian
More information about the keycloak-user
mailing list