[keycloak-user] IdP Initiated SSO
Tom Billiet
tom.billiet at airties.com
Tue Aug 20 05:29:27 EDT 2019
Hi,
1. I fear you're right. This is also how I read the specs. Unfortunately I haven't got it working either.
1a. Workaround we're using is starting an SP initiated login with passing the "kc_idp_hint" in the IDP SSO link the user clicks. This starts and SP initiated login, automatically selects the right IDP provider, and because you're already logged in there you automatically get logged in and redirected to the app you want to use.
2. You can have a look at: /realms/MYREALM/.well-known/openid-configuration and /realms/MYREALM/broker/MYIDP/endpoint/descriptor
Best regards,
Tom
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Stephens
Sent: Friday, 16 August 2019 18:01
To: keycloak-user at lists.jboss.org
Cc: Chris Savory <chris.savory at edlogics.com>
Subject: [keycloak-user] IdP Initiated SSO
Hello,
Thanks for the great product. We have set up several instances of keycloak as the SP utilizing SP-Initiated SSO to external IdPs. Everything in that process is going smoothly. We have an external IdP that wants us to use IdP-initiated SSO to connect to their IdP. The current client protocol is openid-connect. We are using keycloak 5.0.
1. Is it possible for a keycloak service provider client using the openid-connect protocol to perform IdP-initiated SSO. I believe we have to set the client up using the saml protocol. Is this correct?
1a. If it is not possible, are there any workarounds that I can use? My app is using an openid-connect public client. How can I use IdP-initiated SSO in this scenario
2. We need to provide the IdP the public key used to sign the assertions. Are the keys used to sign the assertions located in the keycloak admin console > realm settings > keys > Providers tab?
Thanks,
Christopher Stephens
Software Engineer | EdLogics
chris.stephens at edlogics.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This message has been scanned for malware by Websense. www.websense.com
More information about the keycloak-user
mailing list