[keycloak-user] Keycloak with Ping Identity OpenID Connect Provider

Mon Jul 22 12:47:50 EDT 2019

On Mon, Jul 22, 2019 at 1:19 PM Mitchell S Bowers <Mitchell.S.Bowers at kp.org>
wrote:

> Hello Pedro,
>
>
>
> I don’t have any error logs to share but let me explain further. After
> configuring Ping as the OIDC provider, we would be routed to Ping for
> authentication. After successfully authenticating, we’d be sent back to the
> application (Keycloak) with the ID token and Access token. After decoding
> the JWT, we see that the issuer had changed to Keycloak. So not sure if
> Keycloak issues it’s own token after receiving the one from Ping.
>

It does. But you should still be able to obtain the original tokens as per
https://www.keycloak.org/docs/latest/server_admin/#retrieving-external-idp-tokens
.

>
>
> The other issue is around session management. When invoking logout at our
> OIDC provider, the session remains active (even after closing the browser).
> We see the logout happening at our OIDC provider (Ping) but when the user
> navigates back to the app (Keycloak), they are not challenged. Is there a
> setting for invalidating the session on logout in Keycloak?
>

IIRC, If the logout is starting at the brokered IdP, it should send a
logout request to Keycloak including the initiating_idp parameter. I would
check if the brokered IdP is at least sending a request to Keycloak.

Regards.

>
>
> Thanks,
>
>
>
> Mitchell
>
>
>
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Monday, July 22, 2019 8:08 AM
> *To:* Mitchell S Bowers <Mitchell.S.Bowers at kp.org>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak with Ping Identity OpenID Connect
> Provider
>
>
>
> *Caution: *This email came from outside Kaiser Permanente. Do not open
> attachments or click on links if you do not recognize the sender.
> ------------------------------
>
> Hi,
>
>
>
> I have never configured PingIdentity as a broker before, but the
> configuration steps should be the same. Could you provide more details
> about the issues you are facing? Any specific error in logs?
>
>
>
> On Fri, Jul 19, 2019 at 8:14 PM Mitchell S Bowers <
> Mitchell.S.Bowers at kp.org> wrote:
>
> Hello,
>
> Is there any documentation on configuring Keycloak to use Ping as an
> external OIDC provider? I've used the documentation provided for Okta,
> which should be essentially the same.
>
> However, we are experiencing issues (specifically token issuance and
> logout). Any info would be greatly appreciated.
>
> https://ultimatesecurity.pro/post/okta-oidc/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__ultimatesecurity.pro_post_okta-2Doidc_&d=DwMFaQ&c=V-WiB07a9ZG9AUogGPqIYBXfVnjryhYX1W_SjITv1Oo&r=VcrfVILBQLZrURPoC8PnflvbtsRzK_VMx7MCP6S2hyI&m=12QW91npVFVsrPGWUUgNypU-HQuCg1cj6RDXSZd69NY&s=g0NJX9qRVuh5-xBfiwa3IdLZ5iX1zAWhcFNFlEv2ES0&e=>
>
> Thanks - Mitchell
>
> NOTICE TO RECIPIENT:  If you are not the intended recipient of this
> e-mail, you are prohibited from sharing, copying, or otherwise using or
> disclosing its contents.  If you have received this e-mail in error, please
> notify the sender immediately by reply e-mail and permanently delete this
> e-mail and any attachments without reading, forwarding or saving them.
> Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=V-WiB07a9ZG9AUogGPqIYBXfVnjryhYX1W_SjITv1Oo&r=VcrfVILBQLZrURPoC8PnflvbtsRzK_VMx7MCP6S2hyI&m=12QW91npVFVsrPGWUUgNypU-HQuCg1cj6RDXSZd69NY&s=yrtLyzLrA4PEDSUtI8BmxCSrmlYxhyTgUU6AznIwu9o&e=>
>
> *NOTICE TO RECIPIENT:*  If you are not the intended recipient of this
> e-mail, you are prohibited from sharing, copying, or otherwise using or
> disclosing its contents.  If you have received this e-mail in error,
> please notify the sender immediately by reply e-mail and permanently delete
> this e-mail and any attachments without reading, forwarding or saving them.
> Thank you.
>