[keycloak-user] Accessing Keycloak from Okta Dashboard
Matteo Restelli
mrestelli at cuebiq.com
Wed Aug 7 04:26:46 EDT 2019
Hi Tom,
Yeah you're right, they are two completely separated flows.
We're currently trying to understand if it's possible to create an Okta
application which redirects to the login page with the kc_idp_hint
parameter in querystring. Specifying as a value of the parameter the name
of the configured identity provider. This should do the trick. Currently
i'm not into the Okta Configuration part so i cannot confirm that, i'll
write here if something new comes up!
Thank you for your suggestions,
Matteo
On Wed, Aug 7, 2019 at 10:22 AM Tom Billiet <tom.billiet at airties.com> wrote:
> Hi Matteo,
>
> You're talking about 2 different flows here:
> * the "login with okta" button on keycloak. Then the flow is started from
> keycloak and it's called SP initiated login.
> * clicking the keycloak button in okta. Then the flow is started from okta
> and it's called IDP initiated login
>
> To my understanding this will depend on what type of client you're using.
>
> If your client is a SAML client, you should look at IDP initiated login
> section in the docs (never tried it myself):
> https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated-login
> On the other hand, if your client is an Openid connect/OAuth client, to my
> understanding oauth does not support this and hence it's not possible
> out-of-the-box.
>
> I'm in the same situation myself, and at the moment we've "solved" this by
> not showing the keycloak button in okta (you can configure that).
> However it would be much more convenient to get it working, so if anybody
> has a workaround on this, I'd be happy to know. I was thinking myself if
> there isn't a possibility to put a "fake" SAML client in between to handle
> the IDP initiated login and then redirect to the oauth app would be an
> option. But haven't found time to try it out.
>
> Best regards,
> Tom
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> On Behalf Of Matteo Restelli
> Sent: Wednesday, 7 August 2019 09:46
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] Accessing Keycloak from Okta Dashboard
>
> Hi all,
> we're trying to configure Keycloak with Okta. We've no problems in
> configuring the button "Login with okta" on the Keycloak login page. The
> problem now is how to configure Keycloak to have the possibility to access
> Keycloak from the Okta dashboard. Once we've configured the app in Okta,
> we've received the following error message inside the Keycloak logs:
>
> 07:44:13,487 INFO
> [org.jboss.aerogear.keycloak.metrics.MetricsEventListener] (default
> task-4) Received user event of type IDENTITY_PROVIDER_LOGIN_ERROR in realm
> master
> 07:44:13,487 WARN [org.keycloak.events] (default task-4)
> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null,
> userId=null, ipAddress=10.1.3.6, error=invalidRequestMessage
> 07:44:13,487 ERROR [org.keycloak.services.resources.IdentityBrokerService]
> (default task-4) invalidRequestMessage
>
> We've followed this guide:
> https://ultimatesecurity.pro/post/okta-saml/
>
> Any thoughts on that?
>
> Thank you very much,
> Matteo
>
> --
>
> Like <https://www.facebook.com/cuebiq/> I Follow <
> https://twitter.com/Cuebiq>I Connect <
> https://www.linkedin.com/company/cuebiq>
>
>
> This email is reserved
> exclusively for sending and receiving messages inherent working
> activities, and is not intended nor authorized for personal use. Therefore,
> any outgoing messages or incoming response messages will be treated as
> company messages and will be subject to the corporate IT policy and may
> possibly to be read by persons other than by the subscriber of the box.
> Confidential information may be contained in this message. If you are not
> the address indicated in this message, please do not copy or deliver this
> message to anyone. In such case, you should notify the sender immediately
> and delete the original message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> This message has been scanned for malware by Websense. www.websense.com
>
--
Like <https://www.facebook.com/cuebiq/> I Follow
<https://twitter.com/Cuebiq>I Connect
<https://www.linkedin.com/company/cuebiq>
This email is reserved
exclusively for sending and receiving messages inherent working activities,
and is not intended nor authorized for personal use. Therefore, any
outgoing messages or incoming response messages will be treated as company
messages and will be subject to the corporate IT policy and may possibly to
be read by persons other than by the subscriber of the box. Confidential
information may be contained in this message. If you are not the address
indicated in this message, please do not copy or deliver this message to
anyone. In such case, you should notify the sender immediately and delete
the original message.
More information about the keycloak-user
mailing list