I am trying to configure Keycloak as SAML service provider for an external Identity Provider with IDP initiated login flow. At the moment I am testing with https://samltest.id/ but requirement is to support other providers like Microsoft AD, Okta and others.
I have configured samltest.id as SAML IDP in the Keycloak (I use version 8.0) and imported samltest.id metadata during configuration of the IDP. I also exported my Keycloak metadata into a file and imported it into a samltest.id.
Attempt to initiate login from samltest.id side results in “Invalid request” error page and in the logs I get 12:22:40,036 WARN [org.keycloak.events] (default task-43) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=Dubber, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalidRequestMessage 12:22:40,036 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-43) invalidRequestMessage
First issue that I am facing is that it is not clear if I need to install SAML adapters for Keycloak. Do I need to do it?
Second is do I need to configure any mappers for my IDP?
And finally do I need to configure any Keycloak client in my scenario?
Hi, I meet the same issue. when I use an external Identify Provide with SAML 2.0. I cannot solve this issue…I am looking into the source-code of keycloak. Have you solved this issue?
My Error Message:
03:52:39,837 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-3) Invalid request. Authorization code, clientId or tabId was null. Code=, clientId=null, tabID=null
03:52:39,837 WARN [org.keycloak.events] (default task-3) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=X.X.X.X, error=invalidRequestMessage
No, I haven’t found a solution via Keycloak yet, for the moment I implemented my own SAML receiving application and going to use my app as external IDP for Keycloak.
Hello @vijay, I’m facing the same issue reported by @adob. I’m trying to configure Okta as IdP for Keycloak.
When login starts from Keycloak (we can call it “SP initiated”) it works fine, but when I start from Okta (IdP initiated) it doesn’t works and I see this error in logs:
But this is related to clients and not for Identity Providers. I wasn’t able to find documentation about using an external IdP with IdP initiated login flow.
Any suggestion on how configure it for accept inbound login flow?
Hi
I am new to Keycloak and getting the same error while doing idp initiated sso from Okta. What I can guess is Keycloak needs some data in relay state parameter but In IDP initiated SSO its not coming. I am not sure if below link can help us
Is this the workflow that others on here are trying to achieve as well? Did anyone manage to solve this?
Login to my identity provider (like ping, okta, Azure AD etc)
Click on the app that my admin has created
Clicking on the app should SSO the user to keycloak (where I have created an Identity Provider)
I have an OIDC client created in keycloak for my angular application. The goal is, on clicking the application (in the okta IDP), the user should be SSO’ed to keycloak (have a keycloak session created) and then also logon to my angular application.
@fabiograssofy did you need to support other IDPs as well or was it just okta? Also, how does a bookmark help with SSO? Did you have to configure anything on keycloak to be able to setup a SSO session (on clicking the bookmark)?
Did anyone able to make the flow work. I am trying to make the IDP initiated Flow work with Azure AD as IDP as KeyCloak as SP and behind KeyCloak I have Angular App on OIDC.
I’m facing the same issue. We are trying to login via Azure AD.
It gives the following error after successful password verification from Azure AD:
“Login timeout. Please sign in again.”