[keycloak-user] converting OIDC token to SAML

Bruce Wings testoauth55 at gmail.com
Thu Apr 18 00:18:57 EDT 2019


Thanks Pedro,

I guess, then an alternative and a very good solution that keycloak
provides is to integrate the same SAML provider(which is being used by 3rd
party app) with Keycloak and extract the SAML token from it and pass on
this token to 3rd party app.

I followed the official doc:
https://www.keycloak.org/docs/4.5/server_admin/index.html#retrieving-external-idp-tokens


After configuring the SAML provider, I turned on the Stored Tokens Readable
and Stored Tokens switches, however I am still receiving

*"errorMessage": "Client [myApp] not authorized to retrieve tokens from
identity provider [saml1]."*

In the doc there is 1 more configuration - "This access token will need to
have the broker client-level role read-token set" but I do not know where
to set this particular option. Any idea?


On Wed, Apr 17, 2019 at 5:30 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> If you want to exchange access/id tokens for saml assertions, the token
> exchange does not support SAML.
>
> On Wed, Apr 17, 2019 at 4:48 AM Bruce Wings <testoauth55 at gmail.com> wrote:
>
>> I have successfully integrated few of my apps with keycloak (with OIDC
>> tokens). However there is a 3rd party app which works on SAML tokens. I am
>> wondering is it possible to use my existing keycloak system to send SAML
>> tokens to this third party app?
>> i.e. I want to use keycloak as IDP and SP and generate SAML tokens and
>> send
>> it to this 3rd party app. Is this scenario even possible?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>


More information about the keycloak-user mailing list