[keycloak-user] IdP initiated SSO with Keycloak

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[keycloak-user] IdP initiated SSO with Keycloak

Michael Anthon
We are attempting to implement IdP initiated SSO, similar to what is outlined in this blog... https://blog.auth360.net/2012/12/16/saml-2-0-idp-initiated-sign-on-with-relaystate-in-adfs-2-0/

The main difference is that our SP is using openid to authenticate with Keycloak.

So the configuration is like this...

ADFS(fs.example.com) <---SAML---> Keycloak(kc.example.com) <---openid--->SP(app.example.com)

The SP is set up as a client in a Realm in Keycloak and the ADFS is set up as an identity provider.

In ADFS, Keycloak is set up as a Relying Party.

The intent here is that we can provide the end user with a URL that they can access that will send them to their ADFS portal to login (if required) and have them end up in the application without them having to do anything in Keycloak.

The URL according to the article will be something like
https://fs.example.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F%252Fkc.example.com%252Fauth%252Frealms%252Frealmid%26RelayState%3Dhttps%253A%252F%252Fapp.example.com%252F

I have been able to set up a standard IdP login via these servers however the situation is that we will have multiple clients accessing the system and we are not allowed to expose who our clients are so we will need to edit the login templates and remove the IdP buttons which is why I'm looking for and IdP initiated solution.

Currently when I attempt this I don't end up in the right place in Keycloak but instead end up at https://kc.example.com/auth/realms/realmid/broker/infoview/endpoint

I'm wondering if anyone has done this and has any pointers on configuring this correctly (or indeed if I'm barking up the wrong tree and it's not possible)

Thanks,
Michael

_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] IdP initiated SSO with Keycloak

Hynek Mlnarik
Are you using IdP-initiated login for brokered IdPs? [1] The URL for
IdP-initiated login should be this:
broker-root/auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id}

[1] https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html

--Hynek

On Fri, Mar 24, 2017 at 1:49 AM, Michael Anthon
<[hidden email]> wrote:

> We are attempting to implement IdP initiated SSO, similar to what is outlined in this blog... https://blog.auth360.net/2012/12/16/saml-2-0-idp-initiated-sign-on-with-relaystate-in-adfs-2-0/
>
> The main difference is that our SP is using openid to authenticate with Keycloak.
>
> So the configuration is like this...
>
> ADFS(fs.example.com) <---SAML---> Keycloak(kc.example.com) <---openid--->SP(app.example.com)
>
> The SP is set up as a client in a Realm in Keycloak and the ADFS is set up as an identity provider.
>
> In ADFS, Keycloak is set up as a Relying Party.
>
> The intent here is that we can provide the end user with a URL that they can access that will send them to their ADFS portal to login (if required) and have them end up in the application without them having to do anything in Keycloak.
>
> The URL according to the article will be something like
> https://fs.example.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F%252Fkc.example.com%252Fauth%252Frealms%252Frealmid%26RelayState%3Dhttps%253A%252F%252Fapp.example.com%252F
>
> I have been able to set up a standard IdP login via these servers however the situation is that we will have multiple clients accessing the system and we are not allowed to expose who our clients are so we will need to edit the login templates and remove the IdP buttons which is why I'm looking for and IdP initiated solution.
>
> Currently when I attempt this I don't end up in the right place in Keycloak but instead end up at https://kc.example.com/auth/realms/realmid/broker/infoview/endpoint
>
> I'm wondering if anyone has done this and has any pointers on configuring this correctly (or indeed if I'm barking up the wrong tree and it's not possible)
>
> Thanks,
> Michael
>
> _______________________________________________
> keycloak-user mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/keycloak-user



--

--Hynek

_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] IdP initiated SSO with Keycloak

mmiklasz
This post was updated on .
CONTENTS DELETED
The author has deleted this message.