[keycloak-user] converting OIDC token to SAML
Bruce Wings
testoauth55 at gmail.com
Thu Apr 18 00:31:39 EDT 2019
Answer to my previous question:
Only step needed after adding SAML provider is to turn on Stored Tokens
Readable and Stored Tokens switches. The reason I was getting above error
was because for already imported user, this role will not get set. Only for
newly imported users(users imported after turning on switches, it will get
set)
But this is a very handy solution from keycloak to extract SAML tokens.
On Thu, Apr 18, 2019 at 9:48 AM Bruce Wings <testoauth55 at gmail.com> wrote:
> Thanks Pedro,
>
> I guess, then an alternative and a very good solution that keycloak
> provides is to integrate the same SAML provider(which is being used by 3rd
> party app) with Keycloak and extract the SAML token from it and pass on
> this token to 3rd party app.
>
> I followed the official doc:
> https://www.keycloak.org/docs/4.5/server_admin/index.html#retrieving-external-idp-tokens
>
>
> After configuring the SAML provider, I turned on the Stored Tokens
> Readable and Stored Tokens switches, however I am still receiving
>
> *"errorMessage": "Client [myApp] not authorized to retrieve tokens from
> identity provider [saml1]."*
>
> In the doc there is 1 more configuration - "This access token will need
> to have the broker client-level role read-token set" but I do not know
> where to set this particular option. Any idea?
>
>
> On Wed, Apr 17, 2019 at 5:30 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> If you want to exchange access/id tokens for saml assertions, the token
>> exchange does not support SAML.
>>
>> On Wed, Apr 17, 2019 at 4:48 AM Bruce Wings <testoauth55 at gmail.com>
>> wrote:
>>
>>> I have successfully integrated few of my apps with keycloak (with OIDC
>>> tokens). However there is a 3rd party app which works on SAML tokens. I
>>> am
>>> wondering is it possible to use my existing keycloak system to send SAML
>>> tokens to this third party app?
>>> i.e. I want to use keycloak as IDP and SP and generate SAML tokens and
>>> send
>>> it to this 3rd party app. Is this scenario even possible?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
More information about the keycloak-user
mailing list