IdP initiated SSO - OpenIDC client

[Lars Van Casteren]

I'm evaluating a POC to determine the workload to migrate from Gluu to Keycloak but I'm stuck at IdP initiated SSO using KC & and an OpenIDC client, similar to https://lists.jboss.org/pipermail/keycloak-user/2017-March/010093.html. 

This is the flow: 

AzureAD <--SAML or OpenID--> Keycloak <--openid client--> SP Apache/mod_auth_openidc/app

From the login screen using KC initiated login everything works but for IdP initiated SSO from AzureAD in this setup there doesn't seem to be a clear-cut answer if this is possible or not with keycloak.

At this point the only solution I see is to not only replace Gluu but replace mod_auth_openidc also: 

AzureAD <--SAML or OpenID--> Keycloak <--saml client--> SP Apache/mod_auth_mellon/application

Before ripping out mod_auth_openidc it would be helpful if someone could shed some light if this is the (only) way.

Thanks!

[Lars Van Casteren]

I made some progress for the setup with AzureAD through SAML:

AzureAD <--SAML--> Keycloak <--openid client--> SP Apache/mod_auth_openidc/app

Maybe it's useful to someone stuck at the same point.

This could be passed as an SSO url to clients:

sso_url: https://{{ keycloak_host }}/auth/realms/{{ realm_name }}/protocol/openid-connect/auth?client_id={{ client_id }}&redirect_uri={{ redirect_to_url }}k&response_type=code&scope=openid&kc_idp_hint={{ identity_provider_id }}

Instead of getting the login screen they will be redirected to the IdP login page but get redirected to authenticate with the IdP and get redirected back and are logged in.

But it's not yet enough to use the 'User access URL' that AzureAD generates.

I added these values to the AzureAD Enterprise Application SAML-based SSO config screen: 

Sign on URL: {{ sso_url }}. 

Relay State: https://{{ redirect_url }}/

Now it's possible to use the 'User access URL' that's shown in the AzureAD config screen for the Enterprise Application, it's something like: 

https://myapps.microsoft.com/signin/{{ application name }}/{{ id }}?tenantId={{ tenantId}

Hitting that will log in the user. 

I'm not sure if this is the correct way how to configure it but it works.

For the setup when using AzureAD through OpenIDC:

AzureAD <--OpenIDC--> Keycloak <--openid client--> SP Apache/mod_auth_openidc/app

The same SSO url as above can be used but I haven't found a way to login the user when he clicks on the "My Apps" icon in his office.com portal.

There doesn't seems to be a way to set an URL to be used in the AzureAD openid application config page, hence the user lands on the login page without the hint. 

[Lars Van Casteren]

For the setup when using AzureAD through OpenIDC:

 

AzureAD <--OpenIDC--> Keycloak <--openid client--> SP Apache/mod_auth_openidc/app

 

You can’t add the url with all the parameters directly in AzureAD “Home page URL” so that won’t work, the user just lands on the login page.

I added a permanent redirect on Apache so that a simple URL (one that AzureAD “Home page URL” accepts) redirects to the full URL with all the parameters and added that to AzureAD “Home page URL” for the openid app.

This does the trick and the user can now just click on the icon in the office.com portal and gets logged in.

 

I guess I answered my own initial question 😉

 

Gr,

L

--
You received this message because you are subscribed to a topic in the Google Groups "Keycloak User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/keycloak-user/Z1BVOmvdKso/unsubscribe.
To unsubscribe from this group and all its topics, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/4dbcb973-5500-424d-84e8-9b63adec65ccn%40googlegroups.com.