New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEYCLOAK-4509 Support IDP Initiated to OIDC RP #4965
Conversation
KC supports only SAML Clients for IDP Initiated login. This commit adds IDP Initiated login to OIDC Clients. To use this feature, the admin needs: * in Client conf ** IDP Initiated SSO URL Name=<client-alias> ** IDP Initiated Target URL=<target-url-of-client> * in the external IDP configuration, set keycloak redirectURL=http://<keycloak>/auth/realms/<realm>/broker/<idp-name>/endpoint/clients/<client-alias> The whole behaviour will be : * the user is authenticated in external IDP. * external IDP dashboard page list all available Client. * user clicks on a Client. * external IDP redirects to KC (using SAML). * KC validates the authentication. * KC redirects to the OIDC RP (IDP Initiated Target URL). * OIDC RP initiates a OIDC authentication flow, and redirects to KC * KC creates automatically a session and redirects back to OIDC RP.
I'm not really following the flow you are proposing here. It doesn't seem to consider OIDC at all and I don't see how it would actually work since OIDC clients are supposed to check state/nonce values they generate themselves. There's some mention in OIDC specs about third-party initiated logins (https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin), but not really enough to understand how it should be done safely. The code here is also incredibly messy and is abusing the SAML code base. |
Closing due to lack of feedback |
If you are still interested in this please open a discussion on keycloak-dev around this |
Hi @stianst, sorry for the lack of feedback on my part. I've a new job, so I was quite busy on other topics. Alas, I won't have time in the near future to continue working on this PR - perhaps it's better: I'll stop doing ugly code :). I'll just add some notes to have a better explanation (at least I hope !) Use caseMy need at the time I wrote the PR:
Okta was configured as SAML IDP in Keycloak. PR usageConfiguration With this PR, I configured the OIDC RP ac-sandbox in KC with these 2 new values:
In KC side, I configured Okta as external SAML IDP with a name okta. In summary, Okta initiates a SAML IDP authentication flow with KC, and then KC simulates a 3rd party initiated login to the OIDC RP ac-sandbox. I don't know if we can achieve a full OIDC flow (Okta -> KC and KC -> my OIDC RP), if yes, perhaps it will be easier and cleaner than a hald SAML / half OIDC. Test it
Conclusion I completely agree about the code, it is hacky. but I didn't found a good way to implement it cleanly in a short timeframe. |
Looking at https://support.okta.com/help/Documentation/Knowledge_Article/Using-the-App-Integration-Wizard-1111708899, Okta provides early access support for OIDC in their App Integration Wizard, and implements http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin. So a better way would be - as you pointed out - to have a third party initiated OIDC login (with full OIDC between IDP <-> KC <-> OIDC RP). This way, we could configure okta as a OIDC AS (instead of SAML) in KC and configure KC in Okta with:
The full flow would then be:
|
Could you please open a discussion on keycloak-dev around this? |
Just done, thanks Stian ! |
For reference, I've implemented something very similar in December, also for use with Okta as a SAML IdP. See master...Xovis:kc4509 Unfortunately my message to the dev-list describing my use case never made it through. I'll try to follow up on @gonzalad's message on the list again. |
I have exactly the same requirement. Are some discussions going on somewhere..? |
Mostly as a proof of concept, I'll add unit tests if the general idea is ok. I feel code can be improved, but I'm a bit too young on KC to know the good areas to extend
KC supports only SAML Clients for IDP Initiated login.
This commit adds IDP Initiated login to OIDC Clients.
To use this feature, the admin needs:
** IDP Initiated SSO URL Name=
** IDP Initiated Target URL=
redirectURL=http:///auth/realms//broker//endpoint/clients/
The whole behaviour will be :