[keycloak-user] Keycloak with Ping Identity OpenID Connect Provider

Mon Jul 22 12:19:47 EDT 2019

Hello Pedro,

I don’t have any error logs to share but let me explain further. After configuring Ping as the OIDC provider, we would be routed to Ping for authentication. After successfully authenticating, we’d be sent back to the application (Keycloak) with the ID token and Access token. After decoding the JWT, we see that the issuer had changed to Keycloak. So not sure if Keycloak issues it’s own token after receiving the one from Ping.

The other issue is around session management. When invoking logout at our OIDC provider, the session remains active (even after closing the browser). We see the logout happening at our OIDC provider (Ping) but when the user navigates back to the app (Keycloak), they are not challenged. Is there a setting for invalidating the session on logout in Keycloak?

Thanks,

Mitchell

From: Pedro Igor Silva <psilva at redhat.com>
Sent: Monday, July 22, 2019 8:08 AM
To: Mitchell S Bowers <Mitchell.S.Bowers at kp.org>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak with Ping Identity OpenID Connect Provider

Caution: This email came from outside Kaiser Permanente. Do not open attachments or click on links if you do not recognize the sender.

________________________________
Hi,

I have never configured PingIdentity as a broker before, but the configuration steps should be the same. Could you provide more details about the issues you are facing? Any specific error in logs?

On Fri, Jul 19, 2019 at 8:14 PM Mitchell S Bowers <Mitchell.S.Bowers at kp.org<mailto:Mitchell.S.Bowers at kp.org>> wrote:
Hello,

Is there any documentation on configuring Keycloak to use Ping as an external OIDC provider? I've used the documentation provided for Okta, which should be essentially the same.

However, we are experiencing issues (specifically token issuance and logout). Any info would be greatly appreciated.

https://ultimatesecurity.pro/post/okta-oidc/<https://urldefense.proofpoint.com/v2/url?u=https-3A__ultimatesecurity.pro_post_okta-2Doidc_&d=DwMFaQ&c=V-WiB07a9ZG9AUogGPqIYBXfVnjryhYX1W_SjITv1Oo&r=VcrfVILBQLZrURPoC8PnflvbtsRzK_VMx7MCP6S2hyI&m=12QW91npVFVsrPGWUUgNypU-HQuCg1cj6RDXSZd69NY&s=g0NJX9qRVuh5-xBfiwa3IdLZ5iX1zAWhcFNFlEv2ES0&e=>

Thanks - Mitchell

NOTICE TO RECIPIENT:  If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents.  If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them.  Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=V-WiB07a9ZG9AUogGPqIYBXfVnjryhYX1W_SjITv1Oo&r=VcrfVILBQLZrURPoC8PnflvbtsRzK_VMx7MCP6S2hyI&m=12QW91npVFVsrPGWUUgNypU-HQuCg1cj6RDXSZd69NY&s=yrtLyzLrA4PEDSUtI8BmxCSrmlYxhyTgUU6AznIwu9o&e=>
NOTICE TO RECIPIENT:  If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents.  If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them.  Thank you.