Here is the scenario.
1. Service Provider ABC.com is configured to accept credentials from IDP MNO.com.
2. Service Provider is also configured as an Identity Provider for XYZ.com.
3. User requests resource from ABC.com, is authenticated successfully against MNO.com.
4. Now the user wants a resource from XYZ.com.
XYZ will ask ABC if the user is authenticated. The user authenticated originally against MNO.com. MNO.com and XYZ.com do not know about each other. Do the credentials originally authenticated against MNO.com cross over to XYZ.com? In other words, will ABC.com consider the user authenticated and will it provider those credentials received from MNO.com to XYZ.com?
If not, is there a way to achieve this or does the original IdP (MNO.com) need to also service XYZ.com?
In short:
Identity Provider: MNO.com trusts SP: ABC.com
SP: ABC.com also configured as IDP to XYZ.com
SP: XYZ.com does not know about IDP: MNO.com
Do the credentials from MNO.com get passed to XYZ.com just because ABC.com is both an SP and Identity Provider?
Thanks
Ideally there will be one Identity provider (MNO.com) in your case. All associated Service provider need to be configured inside IDP. You have two SP "abc.com" and "xyz.com" which should be configured with MNO.com however abc.com and xyz.com not required to know each other.
Usecase: if user try to login xyz.com which is protected by IDP MNO.com then MNO.com will ask for credentials if not logged in previously. Now user will be able to access xyz.com and he want to access abc.com then request will go to IDP for authentication and got successful authentication due to previous session created by xyz.com. So user will be able to access abc.com without login again.
Let me know if you have any doubt.
Related
I have created identity provider and from browser it's working fine.
Reference : Keycloak Identity provider post-broker-login throwing error
From browser I can do login with external IDP and if the external IDP user is not there in keycloak it gets created in the keyclock that is absolutely fine and redirect to dashboard.
But my question is how can we do this flow with keycloak rest api?
Is there any api for to login with external IDP and will get the token of external IDP as well as token of keycloak?
For the typical user authentication use-case, ideally the user would simply get redirected to the Keycloak login page of your realm, would click on the external IDP, and proceed with the authentication process.
But my question is how can we do this flow with keycloak rest api?
Via the Keycloak Rest API I do not think you can perform this exact flow, at least not out-of-the-box.
Is there any api for to login with external IDP and will get the token
of external IDP as well as token of keycloak?
You can use the Keycloak's Direct Access Grand flow (aka Resource Owner Password Credentials Grant in terms of OAuth2 specification), exchange the user's credentials for a token from the External IDP. Afterwards, you can then perform an external-to-internal token exchange of the token from the external IDP for a token from your internal Keycloak realm.
Bear in mind, however, that some might consider this approach has not being a good practice, read more about it in this stack overflow thread.
I have problem with Keycloak's configuration and Single Logout from SAML Identity Provider.
Scenario:
User tries to log into Service Provider using Keycloak's client (OID)
KC redirects to SAML identity provider
Entering correct credentials, user is logged in, KC creates session and user is redirected back to SP page
In another tab user directly logs into IP (no credentials are needed because of SSO)
User logs out from SP
After refresh 2nd tab (IP), user is logged out.
However, if user logs out from IP first, SP session is not closed and user is still logged in:
User logs out from IP (redirect to KC endpoint and return back to IP login page)
After refresh, user is still logged in SP
Keycloak correctly receives samlp:LogoutRequest request and returns <samlp:LogoutResponse
...
samlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status></samlp:LogoutResponse>
In KC admin console I can still see there is active session for given client (and user). Actually I can see SAML logout request from IP only in KC stdout (request-dumper filter) but no logout event occured in KC.
I dont really understand in details how SAML works, but shouldn't be user logout from SP using SLO? Or maybe I am missing something in KC's client/realm/IP configuration?
Thank you for your help/explanation
Requirements for Global Logout to work
Clients which are being used for both the service providers should be in the same realm.
When you log out from IdP, do you see a request being fired to logout from each of the service providers? I believe in your case, it is not calling Logout URL for your SP. That needs to be configured at a client level.
If logout URL for SP is being called and if even then you are logged into your SP, then it means that SP has some issues in the implementation of Log out.
When you logout from SP first in that case your SP is sending logout request to IdP and that's why you are being logged out from IdP as well as SP.
But on the other case, I believe Logout URL is not being called (which could be due to missing configuration in the client).
Can you post a screenshot of the configuration to help you better?
I am trying to configured SAML SSO with OpenAM as SP and PingFederate as IDP with SP-Initiated SSO and using Redirect-Post binding. I am using kerberos adapter for implementing SSO.
I have configured Kerberos adapter to use "e-glue.com" domain and provided KDC details in the configuration. I have also added "setspn" of Pingfederate server in domain controller properly.
However when I login to a computer with valid "e-glue.com" user and hit SSO url with "https://hostname.e-glue.com:1912/openam/saml2/jsp/spSSOInit.jsp?idpEntityID=ent-026330&metaAlias=/sp" it redirects me to IDP and SSO is successful and user gets created in openam.
But if I do the same thing with other domain.. which is not "e-glue.com", it still autheticates the user and user is created in openam.
This is so strange, there is something missing as the user which is not part of e-glue domain though we configured kerberos adapter to use e-glue.com KDC, is getting authenticated. I am missing something, not sure what.
Please share if you have any information about what is going wrong.
It happened because of inter-domain trust relationship.
PingFederate (IDP) is configured to authenticate users via "e-glue.com" domain.
So I logged in to my computer which was in domain "someother.domain".
But this "someother.domain" implemented an Active Directory directory service forest and has trust relationship between "e-glue.com" and itself. So all users logged in to IDP are also VALID users because of trust relationship.
It took me some time to understand this.
I have two service providers(SP) and one common identity provider(IDP).
I can login to both my SP through IDP initiated SSO.
I have same user in both my SP so user lookup is working fine.
After logging in through IDP i have landed in SP1. In SPA i want a link which will be redirected to SP2 landing page without calling the login ti ISP again.
How can i do this?
I have a external openidconnect identity provider registered with Keycloak. When the client app tries to access the protected resource it gets redirected to KeyCloak login page. On the login page I have the external openidconnect provider buttons enabled. Once the user clicks on the button he is taken to the external identity provider (which is identityserver3 instance). The external provider does authenticate the user and send back a code.
Now the redirecturl for the registered client in the external identity provider is that of keycloak's. So after authentication is successful at the external IDP it send back the code(because it is Auth code flow) to keycloak at a redirect url:
http://localhost:5555/auth/realms/QA/broker/keycloak-client/endpoint?code=7bcf5157105199d50874e64eabf03858&state=wQhNIEKW0Ws6CotZg2EsvOorjDVQlWVvobcM2skPSXo.keycloak-client&session_state=rhgu-BXT8FniG9Z-UARKpp_f-V1nLN-VxFmSE3PSxDg.99b2d903367208e4261fefa475afb1eb
In the URL if you see it ends with endpoint. I don't think that's correct but I cannot change it in KeyCloak (it's disabled) and because of that in the external IDP client configuration.
KeyCloak does not understand above url and errors out with a message "unexpected error when authenticating with Identity Provider"
Isn't KeyCloak supposed to understand the code flow and make another request for token after receiving the code. Then the external IDP will respond with token and Keycloak will send back that token to client(will also store it for future use).
Can someone please share some knowledge on how Keycloak works with external openidconnect ID provider with code flow.
Usually the redirect URI for external identity providers take the form of {keycloak-host}/auth/realms/{realm}/broker/{provider}/endpoint. You have to specify this as the redirect URI when you register your client in the external identity provider. Once the user is authenticated through the external IdP, authorization code will be sent to this url, which in turn will redirect it to the redirect url of your client application (specified when registering the client in Keycloak).
Unexpected error when authenticating with Identity Provider is the general error message sent by Keycloak for several errors that occur during the OAuth flow. You won't be able to determine the actual cause without going through the stack trace or the logs in the prompt.
You are getting this error because keyclaok is unable to get token from identityserver3 by exchanging authorization code. Where did you hosted identityserver3? Does it have a real ca certificate or you are using self sign certificate? Have you configured client_id , secret, token endpoint properly in keycloak external IDP configuration? You can test manually my posting client_id, secret, code (that you received) in token endpoint of identityserver3.