[keycloak-user] Login via SAML RESPONSE from an IdP
Karsten Honsack
karsten.honsack at zurich.com
Tue Nov 13 02:11:03 EST 2018
Hi Dimitry,
thank you for the additional information!
I don't know the the exact technology. It is a german SSO provider for insurance sellers called "easy login" and I think their IdP is their own implementation as they also use some proprietary token formats for other scenarios.
Best regards
Karsten
-----Ursprüngliche Nachricht-----
Von: Dmitry Telegin <dt at acutus.pro>
Gesendet: Freitag, 9. November 2018 05:14
An: Karsten Honsack <karsten.honsack at zurich.com>; keycloak-user at lists.jboss.org
Betreff: [EXTERNAL] Re: [keycloak-user] Login via SAML RESPONSE from an IdP
Hello Karsten,
Just to add to Luis's answer below. In SAML terms, this is called "Unsolicited SAML response", meaning that it hasn't been preceded by any AuthnRequest.
While configuring your partner webapp in the 3rd party IdP, make sure that your ACS URL is in the following form:
/auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id}
where {client-id} is the value of the "IDP Initiated SSO URL Name" in the broker definition. It's a common mistake to use Keycloak SAML endpoint (/auth/realms/{realm}/protocol/saml/endpoint) as ACS for IdP-initiated SSO. This won't work as generic SAML endpoint doesn't accept unsolicited responses, only client-specific endpoints do.
By the way, what's that 3rd party IdP? Keycloak is known to work with Okta and PingFederate and theoretically should work with any SAML 2.0 compliant IdP.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Thu, 2018-11-08 at 09:50 +0000, Karsten Honsack wrote:
> Hello everybody,
>
> I am trying to figure out if Keycloak is capable to fulfil the following requirement. I read through the documentation but was not able to figure it out.
>
> Scenario:
> A user is on a website where he has the possibility to jump to web applications of different partners via SSO. The website provider only supports IdP Initiated SSO and the button links provided are SAML Assertion Consumer URLs. The flow describes what should be happening for my understanding:
>
> Flow:
> 1. User login on website.
> 2. User clicks on button.
> 3. Website creates an encrypted SAML RESPONSE using its STS, redirects user to Keycloak's SAML Assertion Consumer URL and POSTs the SAML RESPONSE there.
> 4. Keycloak decrypts/validates SAML RESPONSE and authenticates the user.
> 5. Keycloak redirects user to the application.
> 6. User uses application.
>
> Is this possible? How has it to be configured? Do you need any more information to help me? Thank you in advance!
>
> Best regards
>
> Karsten Honsack
>
> **************************************
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICaQ&c=DgzfCyvE4m33Nb8jT6Zstq7mstX2IJrYfaJl8Ak-0_8&r=tEV5NbaAf1DsefwaP5VV_SYeWZQslIoxTN6j5CE93Hg&m=I3NNDtQVN-43hlzPT2rh2Hy2X1Aj7wsMVhzwxJ8T_KM&s=EJEl86Bzg8pClVwtool4TJhr8H_PmG54y8BoEGn43XI&e=
**************************************
More information about the keycloak-user
mailing list