My application supports SAML integration.
I could integrate it to OKTA directly, however my SAML is a bit complex and I need additional attributes that OKTA cannot get.
I would like to try to use KeyCloak as a proxy between OKTA and my application to complete this information as follow:
- User logs in to OKTA or clicks on the OKTA button on the KeyCloak login page.
- The user gets SAML assertion and redirects to KeyCloak.
- KeyCloak receives user session and using an extension integrates with an LDAP server to fetch additional attributes.
- KeyCloak creates a new SAML assertion with user information and additional attributes and response back to the user and redirects him to my application with a newly assembled SAML assertion.
So far I have no lack with creating such use case.
Either IDP initiating from OKTA to KC is not an option, and\or SP initiating from KC to OKTA and back to KC and my application is not an option.
What do you think?
Is that an acceptable scenario?