[keycloak-user] converting OIDC token to SAML

Bruce Wings testoauth55 at gmail.com
Thu Apr 18 12:01:13 EDT 2019 

No.
Actually 3rd party app is using Okta as SAML IDP.
So I added another app in okta for my keycloak server. Now when user logs
into keycloak using this okta integration, i received keycloak access token
embedded with okta SAML token.

On Thursday, April 18, 2019, Pedro Igor Silva <psilva at redhat.com> wrote:

> Out of curiosity, so the 3rd party is already using Keycloak as  SAML IdP ?
>
> On Thu, Apr 18, 2019 at 1:32 AM Bruce Wings <testoauth55 at gmail.com> wrote:
>
>> Answer to my previous question:
>>
>> Only step needed after adding SAML provider is to turn on Stored Tokens
>> Readable and Stored Tokens switches. The reason I was getting above
>> error was because for already imported user, this role will not get set.
>> Only for newly imported users(users imported after turning on switches, it
>> will get set)
>>
>> But this is a very handy solution from keycloak to extract SAML tokens.
>>
>> On Thu, Apr 18, 2019 at 9:48 AM Bruce Wings <testoauth55 at gmail.com>
>> wrote:
>>
>>> Thanks Pedro,
>>>
>>> I guess, then an alternative and a very good solution that keycloak
>>> provides is to integrate the same SAML provider(which is being used by 3rd
>>> party app) with Keycloak and extract the SAML token from it and pass on
>>> this token to 3rd party app.
>>>
>>> I followed the official doc: https://www.keycloak.org/
>>> docs/4.5/server_admin/index.html#retrieving-external-idp-tokens
>>>
>>> After configuring the SAML provider, I turned on the Stored Tokens
>>> Readable and Stored Tokens switches, however I am still receiving
>>>
>>> *"errorMessage": "Client [myApp] not authorized to retrieve tokens from
>>> identity provider [saml1]."*
>>>
>>> In the doc there is 1 more configuration - "This access token will need
>>> to have the broker client-level role read-token set" but I do not know
>>> where to set this particular option. Any idea?
>>>
>>>
>>> On Wed, Apr 17, 2019 at 5:30 PM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> If you want to exchange access/id tokens for saml assertions, the token
>>>> exchange does not support SAML.
>>>>
>>>> On Wed, Apr 17, 2019 at 4:48 AM Bruce Wings <testoauth55 at gmail.com>
>>>> wrote:
>>>>
>>>>> I have successfully integrated few of my apps with keycloak (with OIDC
>>>>> tokens). However there is a 3rd party app which works on SAML tokens.
>>>>> I am
>>>>> wondering is it possible to use my existing keycloak system to send
>>>>> SAML
>>>>> tokens to this third party app?
>>>>> i.e. I want to use keycloak as IDP and SP and generate SAML tokens and
>>>>> send
>>>>> it to this 3rd party app. Is this scenario even possible?
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>

More information about the keycloak-user mailing list