IDP Initiated Login

3,463 views
Skip to first unread message

keycloak-user

unread,
May 14, 2022, 10:12:51 AM5/14/22
to Keycloak User
Hello,

I am trying to configure a IDP initiated login with keycloak as Identity Broker.

I have done the following configuration:

Keycloak:

1. Created a SAML v2.0 Identity Provider in keycloak realm
     Redirect URIhttps://abc.xyz.com/auth/realms/my-realm/broker/okta/endpoint
     Alias: okta
     Enabled: On
     First Login Flow: first login flow
     Sync Mode: Import
     Service Provider Entity ID: okta
     Single Sign-On Service URLhttps://abc.okta.com/app/xxxxxx/xxxxxx/sso/saml
     NameID Policy Format: Email
     Principal Type: Subject NameID
     HTTP-POST Binding Response: On
     HTTP-POST Binding for AuthnRequest: On

2. Created a SAML client in Keycloak
     Client ID: okta
     Name: okta
     Enabled: On
     Client Protocol: saml
     Name ID Format: email
     Master SAML Processing URLhttps://abc.xyz.com/auth/realms/my-realm/broker/okta/endpoint 
      IDP Initiated SSO URL Name: okta

3. Created an app in Okta
     Single Sign On URL: https://abc.xyz.com/auth/realms/my-realm/protocol/saml/clients/okta
     Audience Restriction: okta
     Name ID Format: EmailAddress

When I am hitting the app in Okta, its giving the An internal server error has occurred error. On close observation, I found that the SAML response using a POST method on the https://abc.xyz.com/auth/realms/my-realm/protocol/saml/clients/okta is giving 405Method not allowed error.

Any suggestions to fix this?


Jessica Sanchez Vargas

unread,
Aug 3, 2022, 4:20:24 PM8/3/22
to Keycloak User
Hi 
   Could you resolved this problem? I have the same issue. 

Karthik Narahari

unread,
Aug 10, 2022, 2:00:39 PM8/10/22
to Keycloak User
Hi, Please try using below url as Single sign on URL in okta


'okta' in the above url is the idp initiated sso url name, also the master processing url should be ideally pointing to a saml based client which you would want to be redirected in an idp login flow.

-Karthik

Crispi Chong

unread,
Feb 17, 2023, 6:30:59 PM2/17/23
to Keycloak User
I'm also having issues getting this to work. I have the settings below, and in my logs, I see the parser parse the AuthnResponse with the following logs, ending in:

type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_saml_response, reason=invalid_destination

Can you please advise? I've looked over the documentation and I can't find what I'm missing.

This is my scenario:
login protected app url? https://myapp.com
iDp: Okta
service provider: keycloak

1. Keycloak identity Provider:
alias: okta-init
service provider entity id: https://myapp.com
identity provider entity id: http://www.okta.com/someexternalid
single sign-on service urlhttps://ourokta/app/xxxx/xxxx/sso/saml
allow create: on
http-post binding response: on
http-post binding for AuthnRequest: on

Requested AuthnContext Constraints
comparison: exact

First login flow: SAML
Sync mode: Import

2. Authentication Flow: SAML
- Create User if Unique: alternative
- Automatically set existing user: alternative

3. Keycloak client
IDP-Initiated SSO URL name: myapp
IDP Initiated SSO Relay State: https://myapp.com
Name ID format: email
Force POST binding: on
Include AuthnStatement: on
Sign documents: on
Signature algorithm: RSA_SHA256
SAML signature key: NONE
Canonicalization method: EXCLUSIVE
Front channel logout: on
Assertion Consumer Service POST Binding URL: i tried https://myapp.com, I tried https://keycloak.myorg.com/auth/realms/master/broker/okta-init/endpoint, I tried blank - with the same results

4. Okta config
Audience URI (SP Entity ID): https://myapp.com
Default RelayState: https://myapp.com
Name ID format: Persistent
Application username: Okta username
Update application username on: Create and update
Response: Signed
Assertion Signature: Signed
Signature Algorithm: RSA-SHA256
Digest Algorithm: SHA256
Assertion Encryption: Unencrypted:
Authentication context class: Unspecified
Honor Force Authentication: Yes

Karthik Narahari

unread,
Feb 18, 2023, 2:02:13 AM2/18/23
to Crispi Chong, Keycloak User
Please try having Single sign-on URL, Recipient URL, Destination URL same as https://keycloak.myorg.com/auth/realms/master/broker/okta-init/endpoint/clients/myapp
and also entity id of keycloak which has to be set for Audience URI (SP Entity ID) in okta would be pointing to the realm something like this https://keycloak.myorg.com/auth/realms/master 

please check above, and verify saml response u receive from Okta and try if the destination and other fields matches what u have in keycloak

-Karthik

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/64d3b79b-f448-4199-b31f-2465085dc923n%40googlegroups.com.

Secured by Paubox - HITRUST CSF certified

Crispi Chong

unread,
Feb 20, 2023, 1:34:44 AM2/20/23
to Keycloak User
I fixed the Single Sign On Url to be the same as Destination and Recipient, and updated Audience URI as well as Service Provider  in keycloak to match, and am still getting invalid_destination error:


type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_saml_response, reason=invalid_destination

Does invalid_destination refer to this? 

Current settings:
alias: okta-init
service provider entity idhttps://keycloak.myorg.com/auth/realms/master
Assertion Consumer Service POST Binding URL: blank
Default RelayStatehttps://myapp.com
Name ID format: Persistent
Application username: Okta username
Update application username on: Create and update
Response: Signed
Assertion Signature: Signed
Signature Algorithm: RSA-SHA256
Digest Algorithm: SHA256
Assertion Encryption: Unencrypted:
Authentication context class: Unspecified
Honor Force Authentication: Yes

Crispi Chong

unread,
Feb 24, 2023, 6:39:24 PM2/24/23
to Keycloak User
I tried following the flow by stepping through the code - everything appears to be successful until logic gets into 
SamlProtocol.authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx)

At that point the redirectUri resolves back to "https://keycloak.myorg.com/auth/realms/master/broker/okta-init/endpoint/clients/myapp" - shouldn't it be taking me to the final destination, the relaystate?
Secondly, responseIssuer resolves into "https://keycloak.myorg.com/auth/realms/master" - shouldn't this value still be "http://www.okta.com/someexternalid"?

Any help is appreciated here.

Thank you.

Thomas Darimont

unread,
Feb 25, 2023, 8:36:19 AM2/25/23
to Keycloak User
Hello,

I just configured a Keycloak 20.0.5 to use Identity Brokering with an Okta SAML App via an SAML IdP in Keycloak with success.
I can now login in with Okta to applications secured by Keycloak.

I created the Okta SAML app first and then configured the Okta SAML IdP in Keycloak.
Note that the URL "https://id.acme.test:8443/auth/realms/acme-apps/broker/okta-saml/endpoint" I use here created at a later stage.
So keep in mind to use the same realm name (acme-apps in my example) and IdP alias in Keycloak later (okta-saml in my example).

1. Create an app in Okta

General / SAML Settings:
Single Sign On URL: https://id.acme.test:8443/auth/realms/acme-apps/broker/okta-saml/endpoint (this endpoint will be generated by the Keycloak IdP)
Audience Restriction: https://id.acme.test:8443/auth/realms/acme-apps (This is the realm entityID of the "Keycloak SP")
Name ID Format: EmailAddress

"Attribute Statements (optional)"
Optionally configure mappings for firstname and lastname, e.g.:
- givenName Basic user.firstName
- surname Basic user.lastName

"Sign-On":
In the "Sign-on tab Click" "View SAML Setup instructions", then scoll down to "IDP metadata to your SP provider."
Copy the xml metadata snippet and store it as a file with an URL reachable by Keycloak.

"Assignments":
Select indivial users or groups who should be allowed to login to Keycloak via Okta.

2. Create a new SAML IdP in Keycloak

Identity Provider -> SAML v2.0

Display Name: Okta
Alias: okta-saml
Service provider entity ID: Base URL of your realm, e.g.: https://id.acme.test:8443/auth/realms/acme-apps
(This is used by the audience restriction above)

Use entity descriptor: "on"
SAML entity descriptor: Enter the URL to the xml metadata snippet (or set Use entity descriptor: "off") and enter metadata from the xml file by hand.

Click Mappers, then "Add Mapper".
Select "Attribute Importer" and use the following settings:

Name: firstName
Friendly Name: givenName
Name format: ATTRIBUTE_FORMAT_BASIC
User Attribute Name: firstName

next mapper:

Name: lastName
Friendly Name: surname
Name format: ATTRIBUTE_FORMAT_BASIC
User Attribute Name: lastName

3. Try to sign-in an application portected by Keycloak via your Okta IdP.

Kind regards,
Thomas

Thomas Darimont

unread,
Feb 25, 2023, 9:31:38 AM2/25/23
to Keycloak User

... sent to fast.

For IdP initiaded login create another Okta app for your target SAML app "webapp" in Keycloak, so that we now have:

Okta:
- SAML App: Keycloak Broker (icon not shown to users)
- SAML App: webapp

Keycloak:
- SAML Identity Provider: Okta
- SAML Client: webapp


For the webapp then use a "Single Sign On URL" like: https://id.acme.test:8443/auth/realms/acme-apps/broker/okta-saml/endpoint/clients/webapp
See: https://github.com/keycloak/keycloak/blob/923a321a55747d401d87b7958fe0dee81fabe010/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java#L204

The target client needs to have the IDP-Initiated SSO URL name (client attribute "saml_idp_initiated_sso_url_name") set to the value passed
as "client_id" path param (e.g. webapp). In my case I configured the "IDP-Initiated SSO URL name" property for the "webapp" client as "webapp".

See: org.keycloak.broker.saml.SAMLEndpoint.Binding#handleLoginResponse
https://github.com/keycloak/keycloak/blob/923a321a55747d401d87b7958fe0dee81fabe010/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java#L416

See: org.keycloak.broker.saml.SAMLEndpoint.Binding#samlIdpInitiatedSSO
https://github.com/keycloak/keycloak/blob/923a321a55747d401d87b7958fe0dee81fabe010/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java#L611

As a workaround for the issue Crispi reported, I configured the webapp-saml in Okta to use the same SAML Issuer ID for the "Keycloak Okta Broker"
SAML app created in the previous step (Configure SAML -> Show Advanced Settings -> SAML Issuer ID). The value can be found in the xml metadata descriptor generated earlier
in the attribute entityID, e.g. entityID="http://www.okta.com/xxxxxxxx".

With this in place I could get to the target application, after clicking on the app icon in "my apps" in Okta.

Hope that helps!

Kind regards,
Thomas

Crispi Chong

unread,
Feb 28, 2023, 5:07:08 PM2/28/23
to Keycloak User
Thank you for your help - unfortunately your final paragraph doesn't appear to have resolved my issue, unless I misunderstood it. 

I still get an error saying:
type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_saml_response, reason=invalid_destination, requestUri=http://myorg.com/auth/realms/master/broker/okta/endpoint/clients/webapp, stackTrace=...

Here are my configs:

Okta:
- SAML App: Keycloak Broker (icon not shown to users)

Response: Signed
Assertion Signature: Signed
Signature Algorithm: RSA_SHA256

Digest Algorithm: SHA256
Assertion Encryption: Unencrypted:
SAML Single Logout: Disabled
SAML Signed Request: Disabled
authnContextClassRef: Unspecified
Honor Force Authentication: Yes
Assertion Inline Hook: None (disabled)
SAML Issuer ID: http://www.okta.com/myorgoktaexternalid
ATTRIBUTE STATEMENTS
Name Name Format Value
firstName Basic user.firstName
lastName Basic user.lastName
email Basic user.email

- SAML App: webapp (for idp initiated login)

Response: Signed
Assertion Signature: Signed
Signature Algorithm: RSA_SHA256

Digest Algorithm: SHA256
Assertion Encryption: Unencrypted
SAML Single Logout: Disabled
SAML Signed Request: Disabled
authnContextClassRef: Unspecified
Honor Force Authentication: Yes
Assertion Inline Hook: None (disabled)
SAML Issuer ID: http://www.okta.com/myorgoktaexternalid
ATTRIBUTE STATEMENTS
Name Name Format Value
firstName Unspecified user.firstName
lastName Unspecified user.lastName
email Unspecified user.email

Keycloak:
- SAML Identity Provider: Okta
Redirect URI: https://myorg.com/auth/realms/master/broker/okta/endpoint
Alias: okta
Service provider entity ID: https://myorg.com/auth/realms/master
Identity provider entity ID: http://www.okta.com/myorgoktaexternalid
Single Sign-On service URL: https://start.myorg.com/app/keycloak_broker/myorgoktaexternalid/sso/saml
Single logout service URL:
NameID policy format: Persistent
Principal Type: Subject NameID
Allow create: On
HTTP-POST binding response: On
HTTP-POST binding for AuthnRequest: On
First login flow: SAML
Post login flow: None
Sync mode: Force

- SAML Client: webapp
Client ID: http://www.okta.com/myorgoktaexternalid
Root URL:
Home URL:
Valid Redirect URLs:
https://myorg.com/auth/realms/master/broker/okta/endpoint/clients/webapp
https://myorg.com/auth/realms/master/broker/okta/endpoint
Valid post logout redirect URIs:
IDP-Initiated SSO URL name: webapp

IDP Initiated SSO Relay State:
Master SAML Processing URL:
Name ID Format: persistent
Force POST binding: On
Include AuthnStatement: On
Sign documents: On
Signature algorithm: RSA_SHA256
Front channel logout: On
Assertion Consumer Service POST Binding URL: https://myorg.com/auth/realms/master/broker/okta/endpoint/clients/webapp
Assertion Consumer Service Redirect Binding URL:
Logout Service POST Binding URL: 

tomidiecat84

unread,
Mar 6, 2023, 7:16:48 AM3/6/23
to Keycloak User
Hello,
I have managed to configure Keycloak to allow authentication using OKTA when the authentication starts in Keycloak by selecting saml IDP which redirects me to OKTA. The problem is when I start the authentication in OKTA and i would like to be authenticated into my Keycloak instance. When i start the IDP initiated authentication i get following error: 

Response Issuer validation failed: expected http://www.okta.com/ABCD, actual https://keycloak/realms/master

Here is my configuration:

--OKTA

App Name: okta-saml-app
Do not display application icon to users: Checked
Single sign-on URL: https://keycloak/realms/master/broker/saml/endpoint
Audience URI (SP Entity ID): https://keycloak/realms/master
Name ID format: EmailAddress
Application username: Email
SAML Issuer ID: http://www.okta.com/ABCD


App Name:okta-saml-web-app
Single sign-on URL: https://keycloak/realms/master/broker/saml/endpoint/clients/myapp
Audience URI (SP Entity ID): https://keycloak/realms/master
Name ID format: EmailAddress
Application username: Email
SAML Issuer ID: http://www.okta.com/ABCD

--Keycloak

CLIENT:
Client ID: myapp
Valid redirect URIs: https://keycloak/realms/master/*

IDP-Initiated SSO URL name: myapp
Assertion Consumer Service POST Binding URL: https://keycloak/realms/master/broker/saml/endpoint/clients/myapp

IDP:
Alias: saml
Redirect URI: https://keycloak/realms/master/broker/saml/endpoint
Service provider entity ID: https://keycloak/realms/master
Identity provider entity ID: http://www.okta.com/ABCD
Single Sign-On service URL: https://dev-XXXXXXX.okta.com/app/dev-XXXXXXX_oktasamlapp_1/ABCD/sso/saml
NameID policy format: Email
Reply all
Reply to author
Forward
Message has been deleted
0 new messages