[keycloak-user] converting OIDC token to SAML

Pedro Igor Silva psilva at redhat.com
Thu Apr 18 08:18:04 EDT 2019 

Out of curiosity, so the 3rd party is already using Keycloak as  SAML IdP ?

On Thu, Apr 18, 2019 at 1:32 AM Bruce Wings <testoauth55 at gmail.com> wrote:

> Answer to my previous question:
>
> Only step needed after adding SAML provider is to turn on Stored Tokens
> Readable and Stored Tokens switches. The reason I was getting above error
> was because for already imported user, this role will not get set. Only for
> newly imported users(users imported after turning on switches, it will get
> set)
>
> But this is a very handy solution from keycloak to extract SAML tokens.
>
> On Thu, Apr 18, 2019 at 9:48 AM Bruce Wings <testoauth55 at gmail.com> wrote:
>
>> Thanks Pedro,
>>
>> I guess, then an alternative and a very good solution that keycloak
>> provides is to integrate the same SAML provider(which is being used by 3rd
>> party app) with Keycloak and extract the SAML token from it and pass on
>> this token to 3rd party app.
>>
>> I followed the official doc:
>> https://www.keycloak.org/docs/4.5/server_admin/index.html#retrieving-external-idp-tokens
>>
>>
>> After configuring the SAML provider, I turned on the Stored Tokens
>> Readable and Stored Tokens switches, however I am still receiving
>>
>> *"errorMessage": "Client [myApp] not authorized to retrieve tokens from
>> identity provider [saml1]."*
>>
>> In the doc there is 1 more configuration - "This access token will need
>> to have the broker client-level role read-token set" but I do not know
>> where to set this particular option. Any idea?
>>
>>
>> On Wed, Apr 17, 2019 at 5:30 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> If you want to exchange access/id tokens for saml assertions, the token
>>> exchange does not support SAML.
>>>
>>> On Wed, Apr 17, 2019 at 4:48 AM Bruce Wings <testoauth55 at gmail.com>
>>> wrote:
>>>
>>>> I have successfully integrated few of my apps with keycloak (with OIDC
>>>> tokens). However there is a 3rd party app which works on SAML tokens. I
>>>> am
>>>> wondering is it possible to use my existing keycloak system to send SAML
>>>> tokens to this third party app?
>>>> i.e. I want to use keycloak as IDP and SP and generate SAML tokens and
>>>> send
>>>> it to this 3rd party app. Is this scenario even possible?
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>

More information about the keycloak-user mailing list