IdP Initiated Login 10.0.2

Hi,

We recently upgraded to 10.0.2 from 4.8.3.Final and we’re running into issues with IdP initiated login. For context, we currently use an OIDC client for our app and in order to get IdP initiated login working, we had added a SAML client for the IdP to connect to and authenticate with before redirecting back to our app. Since the identity/auth cookies were set on the browser at this point, we were able to successfully authenticate with the js adapter on our app.

From what I can see on 10.0.2, we’re still successfully authenticating with keycloak through our SAML client but after we redirect back to our app and the js adapter calls checkLoginIframe, no sessionState is returned (on the KEYCLOAK_SESSION cookie attached to the browser, I do see a sessionState/sessionId) so we fail authentication.

I have also tried disabling checkLoginIframe and that works out, but when the user tries logging out, since our initOptions.onLoad is set to check-sso, they go through the whole participant browser flow and fail to authenticate and get stuck on the “invalid username and password” keycloak page.

Would it be best to stick with enabling checkLoginIframe? If so, has something changed in the check for checkLoginIframe that would result in no session state being returned and would that be related to the fact that we’re using two clients to handle IdP initiated login?

initOptions for js adapter:
{
  onLoad: check-sso
  promiseType: native
  url: https://domain.com/auth
  realm: test
  clientId: oidcClient
}

Any insight would be much appreciated! Thanks!

Hello @louieb,

Did you manage to get IDP initiated login to work? I am looking to implement the following:

  1. Login to my identity provider (like ping, okta, Azure AD etc)
  2. Click on the app that my admin has created
  3. Clicking on the app should SSO the user to keycloak (where I have created an Identity Provider)

Is your workflow similar? If so, is there a documentation that you know of that outlines this workflow?