What should the endpoint be for a Keycloak IDP initiated SSO? - keycloak

I managed to run the saml-broker-authentication example.
SP initiated SSO works OK.
What should the IDP initiated SSO url be? Thanks.

See http://www.keycloak.org/docs/latest/server_admin/topics/clients/saml/idp-initiated-login.html:
In the Settings tab for your client, you need to
specify the IDP Initiated SSO URL Name. This is a simple string with
no whitespace in it. After this you can reference your client at the
following URL:
root/auth/realms/{realm}/protocol/saml/clients/{url-name}

Related

ADFS do not forward the Logout request to the Identity Provider, if there is an active SAML session

I have next components:
RP-1 (connected by Ws-Fed, WIF)
RP-2 (connected by SAML, Federation Provider, actially it is another ADFS)
MY-ADFS (ADFS Server 2019 as primary STS)
MY-IP (separate Identity Provider web service, Identity Server 4)
Thus, when I make a sing-out request from RP-1(Ws-Fed), a simple Ws-Fed Logout is formed a request to ADFS:
GET https:/MY-ADFS/adfs/ls/
wtrealm: https://RP-1.com/
wa: wsignout1.0
wreply: https://RP-1.com/logout/
Next ADFS makes redirect to IP:
GET https://MY-IP/WsFederation
wa: wsignout1.0
wreply: https://MY-ADFS/adfs/ls/?redirectContextId=2dd581d2-6e02-4476-915b-a581e3c855d4
thus the user clears the session from ADFS and from IP. - as expected.
However, if before the logout, the transition to SAML RP was made and the SAML session became active, then upon exiting ADFS gives an error:
MSIS7055: Not all SAML session participants logged out properly. It is
recommended to close your browser.
To fix it, I configured the logout endpoint (URL) in the SAML relying party trust as:
https:/RP-2/adfs/ls/?wa=wsignout1.0
With POST binding. After these changes, the error disappeared. But now ADFS no longer does make Logout redirec to to IP, but instead it does a SAML Logout redirect to RP-2:
POST https://RP-2/adfs/ls/?wa=wsignout1.0
SAMLRequest: PHNhbWxwOkxvZ291dFJl
And as a result, Instead of switching to IP, I remain on the RP-2(ADFS also) page where it is written that the exit was successful. However, the user still has an active session (cookies) on the IP side.
Several questions here:
It is not clear why ADFS changes the chain of calls with the SAML active session.
It is not clear how to exclude SAML Logout redirects, or force ADFS to make Logout to IP also.
You will have to add the logout URL in the IP (Identity provider) side as well to ensure that the SAML token generated by signing out from the SaaS application through ADFS is forwarded to the Identity provider and is updated for logout at IP authorization provider end. So that, the cookie on the browser will be updated and sign out will be processed smoothly.
Please find the below probable steps to update the logout URL at the Identity Provider end: -
Open the authentication provider workspace.
Find the logout URL.
Update the URL to the ‘https://RP-2/adfs/ls/?wa=wsignout1.0’ same as that configured in ADFS Server.
Save your changes.
And as for your first query why ADFS changes the chain of calls with SAML active session, it is because the cookies and cache must be removed from the system for successful logout request, thus the logout time as recorded when signing out is updated at the SaaS app end and thus, it is recommended to close the browser let it update in the system also.
Thus, recommend you open both the RP trust apps in different browser windows as both are configured for different token providers.
Please refer the below thread for more information: -
How do you handle the logout process for applications federated with ADFS?
Thanking you,

Keycloak IDP initiated logout SAML

I have one SP and one IDP using Keycloak.
I'm using SAML protocol and I can successfully login and logout when the request is initiated by the SP.
But when connected as an admin in Keycloak I logout an user from his session no request are sent to the SP.
The session is indeed terminated on the IDP side but not on the SP side.
Because of that the user on the SP can still use the application.
I can't see any option in client configuration for that.
Has anyone made IDP initiated log out in SAML works with keycloak ?
Could you give me some directions ?
Thank you for your time.
After some other research this is not a feature of Keycloak.
https://www.keycloak.org/docs/2.5/server_admin/topics/sessions/administering.html
Quoting the docs
Only certain clients are notified of this logout event, specifically clients that are using the Keycloak OIDC client adapter. Other client types (i.e. SAML) will not receive a backchannel logout request.
I had the same issues using keycloak saml broker. It turned out that enabling back-channel logout (disabling front-channel logout) in keycloak client configuration solved my problem.
I am using 4.8.0.Final

SSO with Okta as an SP

I have an identity provider that connects to a service provider. Im trying to put Okta in the middle of the IDP and the service provider (so that Okta acts as an SP).
I got Okta to work directly with the SP. (I also got the IDP to work directly with the SP.) I'm having an issue getting the IDP to work with Okta in the middle.
Does the IDP's certificate go somewhere in Okta in this case? Does the SP need any information about the IDP?
Is it possible that I have admin access but couldnt find the add identity provider option in Okta?
Would be curious to know what your use case is.
If you put Okta in the middle - then Okta is part SP (to your IDP) and part IDP (to your ultimate SP).
For the part where Okta is SP - you can leverage the instructions here - https://support.okta.com/help/articles/Knowledge_Article/40561903-Configuring-Inbound-SAML to set up an inbound SAML endpoint.
For the second part - to integrate Okta to your SP, you can use the instructions here to set up a SAML app via our App Wizard - https://support.okta.com/help/articles/Knowledge_Article/Using-the-App-Integration-Wizard
If your SP happens to be in our app catalogue, then you can simply do "add application" under the Application tab in the admin console and follow the instructions there to set up SAML with the app.

WSO2 IS with SimpleSaml as Identity Provider

We would like to implement such additional configuration for SSO in our organization:
Web application (with SpringSaml) --- WSO2 IS 5.0.0 --- SimpleSaml as IDP for WSO2 IS.
Our working SSO configuration is:
Other Services --> SimpleSaml
Almost all works OK. But if I login to WSO2 IS from my application and from other service I login to SimpleSaml and that other service send LogoutRequest to SimpleSaml, WSO2 IS receive LogoutRequest from SimpleSaml but don't answer and WSO2 IS produces error:
ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache
I think, it is due to absence of sessionDataKey parameter in the logout request from SimpleSaml.
In IDP metadata for SimpleSaml I set a SingleLogoutService as
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://<server>:9443/commonauth"/>
Maybe it is not right URL. But I don't find SingleLogout URL for our configuration.
Could somebody help to resolve this problem or it is not possible to use WSO2 IS in such configuration?
Many thanks in advance!for
P.S. I'm very sorry for my english
What I understood from your comments that you have the setup of SimpleSamlPHP as your IDP which has connected to multiple SPs.Even the SimpleSamlPHP connected to WSO2 IS too.One of the SP send the Logout request to your SimpleSAMLPHP and the SimpleSAMLPHP pass the Logout request to WSO2 IS.
Let me describe how the logout request works on SP initiated Logout request.
LogoutRequest issued by SP to IDP
IDP determines authenticated SPs for given user session. If there are no SPs, other than the SP who sends logout request, the profile proceeds with step 5. Otherwise, steps 3 and 4 are repeated for each SP
LogoutRequest issued by IDP to SP
SP issues LogoutResponse to IDP
IDP issues LogoutResponse to SP who sends logout request.
The Logout URL you can make your custom URL where you want the user to redirect.
Refer the below Url to configure the external IDP to WSO2 IDP.
http://pushpalankajaya.blogspot.com/2014/09/leveraging-federation-capabilities-of.html
If you are using /samlsso end point in WSO2IS, It means that your are using SAML2 SSO. Therefore, you must send a proper logout request to the /samlsso end point. If you need to get more idea about SSO logout with SAML2 SSO, Please go through the below URL.
http://xacmlinfo.org/2013/06/28/how-saml2-single-logout-works/

PingFederate IdP-initiated Logout, redirect to TargetResource

Ping Federate Logout From IdP flow as from the Ping Federate Documentation
Sequence
User initiates a single logout request. The request targets the
PingFederate server’s /idp/startSLO.ping endpoint.
PingFederate sends a logout request and receives responses from all
SPs registered for the current SSO session.
PingFederate redirects the request to the IdP Web application’s
Logout Service, which identifies and removes the user’s session locally.
The application Logout Service redirects back to PingFederate to
display a logout-success page.
But, I have a slight problem regarding the application Logout Service , which needs to set at IdP adapter configuration.
The problem is i have dynamic logout URL , due to which i can't use it in the Logout Service.
Currently i am trying to initialize the IdP initiated SLO. For which i am passing TargetResource to redirect user to IdP after SLO success.
https://idp.pf.com:9031/idp/startSLO.ping?PartnerSpId=testSpId&TargetResource=http%3A%2F%2Fdynamicsubhost.baseurl.com%3A8080%2Fweb%2Fmy-bank%2Flogout
Question :
So how can i rig the PingFederate setting to skip the Step 3 , so instead of redirecting to the IdP Logout service it redirects to TargetResource.
What i have tried :
I know it sounds cheesy , but actually i kept the IdP logout service to blank. But obviously it wasn't working.
P.S The awkward thing is when i was using same PF server for
configuring both IdP and SP server it was working well. But when i
switch to separate instance of PF server for hosting the PingFederate
Server the consequence is showing up.
You may add the "resume" parameter in your logout service redirect. This is how I implemented it in .NET. I have a web service that handles the SLO and calls this redirect:
Context.Response.Redirect(< SP Server DNS > + Context.Request("resume").ToString(), True)
This redirect will instantiate the Logout service and then redirect back to the value of the targetResource parameter that you specified when you called the logout service.
If your targetResource does not have a value the default SLO URL will be used (this is set in the Admin Console: SP Configuration > APPLICATION INTEGRATION SETTINGS > Default URLs)
For reference: Just review the implementation of the sample application that you may download here
https://www.pingidentity.com/content/dam/pic/downloads/software/integration-kits/-NET-Integration-Kit-2-5-1.zip