From af9686e06a1aa98b315e1a15cf048e2a8e47d458 Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Wed, 16 Nov 2016 19:04:47 +0100 Subject: [PATCH] KEYCLOAK-3731 Identity broker IDP-initiated SSO --- topics/clients/saml/idp-initiated-login.adoc | 20 ++++++++++++++++++++ topics/identity-broker/saml.adoc | 1 + 2 files changed, 21 insertions(+) diff --git a/topics/clients/saml/idp-initiated-login.adoc b/topics/clients/saml/idp-initiated-login.adoc index 2a813bf216..9e08566ff8 100644 --- a/topics/clients/saml/idp-initiated-login.adoc +++ b/topics/clients/saml/idp-initiated-login.adoc @@ -10,3 +10,23 @@ If your client requires a special relay state, you can also configure this on th Alternatively, browsers can specify the relay state in a `RelayState` query parameter, i.e. `root/auth/realms/{realm}/protocol/saml/clients/{url-name}?RelayState=thestate`. +When using <<_identity_broker,identity brokering>>, it is possible to set up an IDP Initiated Login for a client from an +external IDP. The actual client is set up for IDP Initiated Login at broker IDP as described above. The external IDP has +to set up the client for application IDP Initiated Login that will point to a special URL pointing to the broker and +representing IDP Initiated Login endpoint for a selected client at the brokering IDP. This means that in client settings +at the external IDP: + +* `IDP Initiated SSO URL Name` is set to a name that will be published as IDP Initiated Login initial point, +* `Assertion Consumer Service POST Binding URL` in the `Fine Grain SAML Endpoint Configuration` section has + to be set to the following URL: + `broker-root/auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id}`, where: + + ** _broker-root_ is base broker URL + ** _broker-realm_ is name of the realm at broker where external IDP is declared + ** _idp-name_ is name of the external IDP at broker + ** _client-id_ is the value of `IDP Initiated SSO URL Name` attribute of the SAML client defined at broker. It is + this client, which will be made available for IDP Initiated Login from the external IDP. + +Please note that you can import basic client settings from the brokering IDP into client settings of the external IDP - +just use <<_identity_broker_saml_sp_descriptor,SP Descriptor>> available from the settings of the identity provider in +the brokering IDP, and add `clients/_client-id_` to the endpoint URL. diff --git a/topics/identity-broker/saml.adoc b/topics/identity-broker/saml.adoc index 94a30088a1..360b4eb03f 100644 --- a/topics/identity-broker/saml.adoc +++ b/topics/identity-broker/saml.adoc @@ -60,6 +60,7 @@ This link is an XML document describing metadata about the IDP. You can also import all this configuration data by providing a URL or XML file that points to the entity descriptor of the external SAML IDP you want to connect to. +[[_identity_broker_saml_sp_descriptor]] ==== SP Descriptor Once you create a SAML provider, there is an `EXPORT` button that appears when viewing that provider.