Hello everyone, I’m using keycloak as a SAML Service provider and Layer7 SiteMinder as a SAML Identity provider.
The classic SP Initiated SAML Flow is working without any issue but I have a use case when I need to use an IDP initiated flow.
When Is use this flow keycloak gice me the following error:
We are sorry…
Login timeout. Please log in again.
on the server log I go the following errors messages:
2020-05-08 10:08:07,426 INFO [org.keycloak.saml.validators.ConditionsValidator] (default task-1) Assertion _e5d8deee188bdbe6e443259de73340780119 is not addressed to this SP.
2020-05-08 10:08:07,428 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-1) Assertion expired.
So for my point of view, because on the IDP initiated flow, the IDP don’t consume a SAML Authentication Request and generate a SAML Response without the InResponseTo=“ID_****” value containing the ID of the transaction Keycloak sent into the SAML Authentication Request.
Are they a way to ask Keycloak to bypass this verification?
Hi, have you had any luck with setting up SAML IDP initiated login? I’ve tried to follow this article Keycloak with Okta IDP Initiated SSO Login | Lisenet.com :: Linux | Security | Networking but still can’t make it work properly.
As far as I understand, to make IDP initiated flow working we need to have one more “proxy” SAML client that forwards assertion to IDP broker in Keycloak that is integrated with 3rd party IDP (I use Okta). On other side Okta should target its SAML assertion to that SAML “proxy” client.
Finally I see SAML “handshake” is happening and Keycloak displays message “You are already logged in” and no redirect happens like in SP initiated flow.
Looks like some small piece is missing somewhere in configuration that will allow to redirect user to proper destination. Setting RelayState in “proxy” client settings does not help to redirect.
I’d appreciate any help. Thanks.