Keycloak as SP for SAML IDP

I am trying to configure Keycloak as SAML service provider for an external Identity Provider with IDP initiated login flow. At the moment I am testing with https://samltest.id/ but requirement is to support other providers like Microsoft AD, Okta and others.
I have configured samltest.id as SAML IDP in the Keycloak (I use version 8.0) and imported samltest.id metadata during configuration of the IDP. I also exported my Keycloak metadata into a file and imported it into a samltest.id.
Attempt to initiate login from samltest.id side results in “Invalid request” error page and in the logs I get
12:22:40,036 WARN [org.keycloak.events] (default task-43) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=Dubber, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalidRequestMessage 12:22:40,036 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-43) invalidRequestMessage
First issue that I am facing is that it is not clear if I need to install SAML adapters for Keycloak. Do I need to do it?
Second is do I need to configure any mappers for my IDP?
And finally do I need to configure any Keycloak client in my scenario?

Thanks a lot in advance.

Hi, I meet the same issue. when I use an external Identify Provide with SAML 2.0. I cannot solve this issue…I am looking into the source-code of keycloak. Have you solved this issue?
My Error Message:
03:52:39,837 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-3) Invalid request. Authorization code, clientId or tabId was null. Code=, clientId=null, tabID=null
03:52:39,837 WARN [org.keycloak.events] (default task-3) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=X.X.X.X, error=invalidRequestMessage

No, I haven’t found a solution via Keycloak yet, for the moment I implemented my own SAML receiving application and going to use my app as external IDP for Keycloak.

2 Likes

Thanks for your information.

There is specific configuration to configure keycloak for SAML IDP initiated flow. https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/clients/saml/idp-initiated-login.adoc, application that you are integrating with keycloak needs to be configured as SAML SP (not the regular Oidc / Oauth flow).

Thanks

Thanks Vijay, appreciate your help!

Hello @vijay, I’m facing the same issue reported by @adob. I’m trying to configure Okta as IdP for Keycloak.

When login starts from Keycloak (we can call it “SP initiated”) it works fine, but when I start from Okta (IdP initiated) it doesn’t works and I see this error in logs:

08:19:56,497 DEBUG [org.keycloak.saml.common] (default task-229) org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant: 2020-06-04T08:19:56.497Z
08:19:56,497 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-229) Evaluating Conditions of Assertion id37421891469951621571969445. notBefore=2020-06-04T08:14:56.167Z, notOnOrAfter=2020-06-04T08:24:56.167Z, updatedNotBefore: 2020-06-04T08:12:56.167Z, updatedOnOrAfter=2020-06-04T08:26:56.167Z, now: 2020-06-04T08:19:56.497Z
08:19:56,498 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-229) Assertion id37421891469951621571969445 validity is VALID
08:19:56,498 WARN  [org.keycloak.events] (default task-229) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=[my_realmId], clientId=null, userId=null, ipAddress=[my_ip], error=invalidRequestMessage
08:19:56,498 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-229) invalidRequestMessage

You was mentioning specific config for IDP initiated:

There is specific configuration to configure keycloak for SAML IDP initiated flow. https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/clients/saml/idp-initiated-login.adoc , application that you are integrating with keycloak needs to be configured as SAML SP (not the regular Oidc / Oauth flow).

But this is related to clients and not for Identity Providers. I wasn’t able to find documentation about using an external IdP with IdP initiated login flow.

Any suggestion on how configure it for accept inbound login flow?

1 Like

Hi
I am new to Keycloak and getting the same error while doing idp initiated sso from Okta. What I can guess is Keycloak needs some data in relay state parameter but In IDP initiated SSO its not coming. I am not sure if below link can help us

Hi,
I’m facing same issue, were you able to resolve this issue?

Hello @arunvuyala, no I’ve not solved. My conclusion was that IdP initiated login is not supported.

I’ve made a workaround by using a bookmark in Okta