Hi,
I want to make sure which flow is correct:
- Site A → Proxy → Keycloak → Proxy → Site A
- Site A → Proxy → Keycloak → Site A
For OIDC client, I set the redirect_uri as the client url (for both the code and the admin console)
so I guess 2 is right…?
But for SAML client, which I’m currently testing with AzureAD(MS365),
- when I set the Valid Redirect URIs, Assertion Consumer Service POST Binding URL, and Logout Service POST Binding URL to “https://login. microsoftonline.com/login.srf”, the MS login form throws “Cannot find https://[PROXY_DOMAIN]/realms/[realm]” after the ID/PW authentication using keycloak username-password-form.
- when I set the urls to “https://[PROXY_DOMAIN]/MS” and set the proxy to send to the url above, it seems to lose the saml response before it reaches the client; MS login form asks for the domain again that I get stuck in the loop.
Keycloak Conf File
proxy=reencrypt
proxy-address-forwarding=true
hostname=[PROXY_DOMAIN]
http-forwarded-host-enabled=true