Hey everyone,
I am looking for community support in the following scenario:
I have Keycloak 18 protecting access to several services, and users normally use Keycloak’s login form.
At the moment, I have a request for integration with an external identity provider.
Some inputs:
-
IdP is hosted under
idp-com
-
Keycloak is hosted under
sso-com
-
One of my apps is hosted under
myapp-com
-
IdP users exist in Keycloak
My goal: The user should be able to click a URL under idp-com/...
and become automatically authenticated at Keycloak and then be redirected to a custom URL within myapp-com.
I do not need to create or update Keycloak’s users, just verify the IdP’s user email is found.
Let’s imagine the URL may look like https : //idp-com/saml/ssoservice?spentityid=https : //sso-com/realms/realm-name&redirectTo=https : //myapp-com/page1/page2
What I’ve done so far:
-
Created a new simplified authentication flow containing two executions:
-
Detect existing broker user
-
Automatically set existing user
-
-
Run external IdP service (simplesamlphp)
-
Created a new external identity provider in Keycloak by importing the metadata from simplesamlphp
-
Name: my-saml-idp
-
NameID policy format: Persistent
-
Principal type: Attribute [Name]
-
Principal attribute: http : //schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
-
-
Created a new SAML client in Keycloak with the following settings:
-
Valid Redirect URIs: https : //myapp-com/
-
IDP Initiated SSO URL Name: my-saml-client
-
Assertion Consumer Service Redirect Binding URL: https : //myapp-com/
-
-
Updated simplesamlphp settings:
- SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: https : //sso-com/realms/realm-name/broker/my-saml-idp/endpoint/clients/my-saml-client
My current results:
After I enter the initial URL https : //idp-com/saml/ssoservice?spentityid=https : //sso-com/realms/realm-name&redirectTo=https : //myapp-com/page1/page2
, I am asked to enter user credentials at IdP, then I get automatically authenticated at Keycloak, and redirected to https : //myapp-com/?SAMLResponse=......
I can’t find any way to force Keycloak to use the RelayState param in my initial URL so that a user is redirected to https : //myapp-com/page1/page2.
In the Keycloak’s codebase, I found a getRedirectTo()
function with the following annotation:
Gets a URL to redirect to if there is an IDP initiated login. Looks for a redirectTo query param first, then looks in RelayState, if not in either defaults to context path.
Unfortunately, I cannot find a way to specify the redirectTo
param and if it works for my scenario at all.
Please suggest.
Thanks in advance.