Does SSO between OIDC and SAML2 clients are possible in Keycloak? if so how to achieve this condition, either by IDP initiated or SP initiated authentication process.
Does Keycloak produce cookies that can be used in SAML SP clients, even though we authenticate with OIDC clients?
I'm trying to connect my OIDC clients such as VueJS and Spring Boot applications with SAP ECC EHP7, so that I can use the authenticated user either token or cookie to send request SAP ECC EHP7 API.
I have already configure SAP ECC EHP7 SAML2 configuration to add Keycloak as a trusted identity provider and import it as a SP in Keycloak clients.
I need a clear infrastructure and technical configuration of authentication flow and request on how we can achieve this
Related
I own an application which has it's own IDP - let's call it app1.
I would like to establish SSO to app2 which uses Keycloak as IDP - let' call it app2.
App1:
Up and running, So I cannot convert my IDP to Keycloak
App2:
No users yet
External vendor app (not managed on my domain)
Which possibilities do I have to establish SSO between app1 and app2?
Thanks
One possible scenario:
You could configure app1-IDP as a third-party IDP in your Keycloak. Then set the app1-IDP as the Default Identity Provider in the Identity Provider Redirector Authenticator in your Realms Browser Flow.
If app-IDP should control the SSO session alone, you can then remove the Cookie Authenticator from the Browser Flow.
I am using ForgeRock Access Management as the Identity Provider with an ASP.NET Webforms application as the Service Provider. I am doing an SP initiated SSO. SP is setup as a Remoted Identity Provider, and IDP is setup as a hosted Identity Provider. I have set up identities using the embedded OpenDJ identity store.
The following error is generated in the Federation log after the SP initiates the SSO, and when the IDP is trying to connect to the AssertionConsumerService.
Any inputs would be appreciated.
DEBUG: DoManageNameID.removeIDPFedSession trying to remove entity=http://NiadServiceProvider, nameID=MQn1laR0S3KpqCVnB2AiZvklmWy7 from IDP session cache
o.f.o.s.UtilProxySAMLAuthenticatorLookup: 2022-03-02 17:16:03,024: Thread[http-nio-8080-exec-8]: TransactionId[cee84c25-fa5b-408c-aea6-883ff540f925-548093]
ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
com.sun.identity.saml2.common.SAML2Exception: Unable to generate NameID value.
I have requirement to integrate WSo2 IS with Keycloak.
Where from Keycloak I should be able to authentication the users present in WSo2 IS.
You can follow the guide in Configure WSO2 Identity Server as a Federated IDP in Keycloak, to configure WSO2 IS as an OIDC IDP in Keycloak.
Use Identity Brokering. WSo2 IS will be identity provider.
I have one SP and one IDP using Keycloak.
I'm using SAML protocol and I can successfully login and logout when the request is initiated by the SP.
But when connected as an admin in Keycloak I logout an user from his session no request are sent to the SP.
The session is indeed terminated on the IDP side but not on the SP side.
Because of that the user on the SP can still use the application.
I can't see any option in client configuration for that.
Has anyone made IDP initiated log out in SAML works with keycloak ?
Could you give me some directions ?
Thank you for your time.
After some other research this is not a feature of Keycloak.
https://www.keycloak.org/docs/2.5/server_admin/topics/sessions/administering.html
Quoting the docs
Only certain clients are notified of this logout event, specifically clients that are using the Keycloak OIDC client adapter. Other client types (i.e. SAML) will not receive a backchannel logout request.
I had the same issues using keycloak saml broker. It turned out that enabling back-channel logout (disabling front-channel logout) in keycloak client configuration solved my problem.
I am using 4.8.0.Final
I have WSO2 Identity Server set up together with a web application that is configured for SAML 2.0 SSO.
When a user has authenticated, I want to invoke a SOAP service from this application. The SOAP service trusts the Identity Server and is protected with WS-Security. It expects a SAML 2.0 token in the request.
Is it possible for the application to get a SAML token from the WSO2 STS for the currently logged-in user?
The STS seems to require username/password (or X.509 certificate) to authenticate the user, which I don't have in the application (I have only the username).
Is there another way apart from the STS to get a token for the logged-in user?