Keycloak as SP with external SAML IDP

Hi,

We have setup our app such that app is configured as oidc client of keycloak and keycloak is configured as SAML SP to external SAML IDP. Now we do SP initiated SSO from the APP using
kc_idp_hint such that user starts from app and gets redirected to keycloak and keycloak redirects user to IDP. After authentication from IDP user browser comes to keycloak and keycloak generated authz code and redirects user to app and now app exchange the code with Keycloak to get user attributes. This flow is working as expected, now we want IDP initiated flow such that user click link on IDP (IDP generated SSO link) and user lands on APP, we see that it fails after landing on Keycloak . Is there any way we can get it working so that both IDP initiated flow as well SP initiated flow works in the app. (while app is oidc / oauth client with keycloak).

Thanks,
Vijay Abhi

Hi @vijay, my scenario is the same. I want to ask that this is solved for you?

hi all,

any update with this subject? I’ve been searching without any luck

I’ve spent a bit of time trying to better understand this and from what I can tell, Keycloak requires the ACS URL to be defined on a per-client level for IdP-initiated SSO. This means that the standard, exportable SAML metadata will not be valid for IdP-initiated SSO.

The ACS URL for a SAML client will be root/auth/realms/{realm}/protocol/saml/clients/{url-name} per the Keycloak documentation (https://www.keycloak.org/docs/11.0/server_admin/#idp-initiated-login) while the ACS URL for a SP-initiated SSO will be root/auth/realms/{realm}.

From my experience with SAML, I have not seen an ACS that would be configured for separate endpoints, meaning that if you want to support BOTH IdP and SP-initiated SSO, you would need to set up two distinct SPs (one for IdP-init, one for SP-init). This way the SAML metadata would remain accurate for export/URL-sharing AND the same ACS could be used for both IdP and SP-initiated SSO.

I would love to see an enhancement to Keycloak that would allow for consuming SAML from an external IdP, and relying on something protocol-specific (like the relayState URL) to forward to the downstream client that the end-user is attempting to access.

Hope that helps!

Hi @vijay, could you share some details about the setup of the “kc_idp_hint” ?
I’ve configured KC as SP with external SAML IDP, does it mean I need to create a client for this external SAML IDP?
Thanks

@jolson_wfs In IDP initiated SSO from external IDP, so keycloak(as SP) is not using RelayState value for redirecting to client app? I have just created another thread for this Relay State in IDP initiated SSO from external IDP.

Hey @vijay, did you manage to get this to work?

Hi @jolson_wfs, does your workflow match the following:

  1. Login to my identity provider (like ping, okta, Azure AD etc)
  2. Click on the app that my admin has created
  3. Clicking on the app should SSO the user to keycloak (where I have created an Identity Provider and a client)

If so, did you manage to get that working and can you share any more information about the ‘Steps to do’ and the IDP that you were using

Hi - that’s definitely a workflow that aligns with many of our customer workflows (we’re using Keycloak as our SSO service provider).

With apps like OneLogin, etc. there are scenarios where you can configure it as an SP-initiated SSO, which would then invoke the SP-initiated authentication flow. The provider just redirects to the app and the app triggers the authentication flow back to the IdP. I think both OneLogin and Okta support this. I don’t believe that Azure AD does but I may be wrong there.

Thank you @jolson_wfs. Given that it aligns with your customer workflows, I’d like to dig deeper into the details, if thats ok.

  1. I am using ‘Jumpcloud’ as the IDP. I have created userA on Jumpcloud that needs to SSO to keycloak and consequently to my application.
  2. I have setup an identity provider on Keycloak corresponding to a SAML app that I created on Jumpcloud.
  3. Next, I visit the <KeyCloak_Host>/auth/realms/<realm_name>/account/ page (this is not my application but I am using this page as a test). This is the ‘My Account’ page of keycloak
  4. The login page now shows me an option to ‘Login with Jumpcloud’. Clicking on that button takes me to the Jumpcloud login page.
  5. UserA enters credentials and is then re-directed back to keycloak and is logged on to the ‘My Accounts’ page.

Steps 1-5 work like a charm and make up the SP-initiated workflow, correct?

Questions:

  1. Is your setup similar? Can you provide any details if possible? Is there an example on the web that you may be able to point me to?
  2. What URL did you configure in the IDP (in my case Jumpcloud)? When I view the URL during the SP-initiated workflow, I see that there are several query params like ‘state’, ‘nonce’, ‘code_challenge’, ‘code_challenge_method’ etc. and these params cannot be hard-coded in the IDP.