SAML IDP Initiated Login through broker on a OIDC client

1,109 views
Skip to first unread message

Mark Crowley

unread,
Jun 14, 2021, 8:11:15 AM6/14/21
to Keycloak User
Referring to https://www.keycloak.org/docs/latest/server_admin/#idp-initiated-login and having tested various setups SAML IDP initiated auth through a broker to an OIDC client is not supported.

My question is is this a use case that is not supported yet, or is there a wider reason for it?

Further detail:

The underlying cause is that the Identity Provider configuration used for brokering is shared across the realm. With SP initiated login we explicitly know the client that is triggering the auth and Keycloak maintains this as part of RelayState when brokering with the IDP.

However with IDP initiated login we do not know the client unless the IDP somehow passes this data as part of the the AuthRequest.

If my client setup was SAML there is an option to set a " IDP Initiated SSO URL Name", and solution is to add /clients/<name> to the ACS as per the documentation.

But in a OIDC client there is not such option.

So with a setup of

SAML IDP > Keycloak SAML Identity Provider > OIDC client

SP Initiated login works, and IDP initiated login cannot.

Lars Van Casteren

unread,
Jun 14, 2021, 10:04:26 AM6/14/21
to Mark Crowley, Keycloak User

Hi Mark,

 

I’m not sure if I fully understand your specific use case but it seems close to what I had to implement, I vaguely remember working around the problem by setting up some permanent redirects on Apache to add the missing stuff.

Check out: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/keycloak-user/Z1BVOmvdKso/cyhbCguXAwAJ

With those redirects we can do IdP initiated SSO coming either from Azure/SAML or Azure/OIDC as IdP with our app as an OIDC Keycloak SP client.

 

Gr,

L

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/3032ad87-2b97-4314-84ed-303f3ead9fban%40googlegroups.com.

Mark Crowley

unread,
Jun 14, 2021, 2:03:38 PM6/14/21
to Keycloak User
Reviewing the implementation, its simply a case that the client needs an attribute set

and that attribute is only available in the UI for saml protocol

However no specific server side validation logic that this property can only be set for a SAML client.

Will create a new admin theme and override this one property to be exposed in UI for saml and openid-connect protocols, assign to the realm and test.

Keycloak User

unread,
Mar 20, 2023, 10:15:36 PM3/20/23
to Keycloak User
Hi Mark,

Did you get this override technique to work? I have the same requirements as well.  
Reply all
Reply to author
Forward
0 new messages