Merge pull request #52 from hmlnarik/KEYCLOAK-3731
KEYCLOAK-3731 Identity broker IDP-initiated SSO
This commit is contained in:
Bill Burke
GitHub
commit
1a63c2d0aa
2 changed files with 21 additions and 0 deletions
|
|
@ -10,3 +10,23 @@ If your client requires a special relay state, you can also configure this on th
|
||||||
Alternatively, browsers can specify the relay state in a `RelayState` query parameter, i.e.
|
Alternatively, browsers can specify the relay state in a `RelayState` query parameter, i.e.
|
||||||
`root/auth/realms/{realm}/protocol/saml/clients/{url-name}?RelayState=thestate`.
|
`root/auth/realms/{realm}/protocol/saml/clients/{url-name}?RelayState=thestate`.
|
||||||
|
|
||||||
|
When using <<_identity_broker,identity brokering>>, it is possible to set up an IDP Initiated Login for a client from an
|
||||||
|
external IDP. The actual client is set up for IDP Initiated Login at broker IDP as described above. The external IDP has
|
||||||
|
to set up the client for application IDP Initiated Login that will point to a special URL pointing to the broker and
|
||||||
|
representing IDP Initiated Login endpoint for a selected client at the brokering IDP. This means that in client settings
|
||||||
|
at the external IDP:
|
||||||
|
|
||||||
|
* `IDP Initiated SSO URL Name` is set to a name that will be published as IDP Initiated Login initial point,
|
||||||
|
* `Assertion Consumer Service POST Binding URL` in the `Fine Grain SAML Endpoint Configuration` section has
|
||||||
|
to be set to the following URL:
|
||||||
|
`broker-root/auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id}`, where:
|
||||||
|
|
||||||
|
** _broker-root_ is base broker URL
|
||||||
|
** _broker-realm_ is name of the realm at broker where external IDP is declared
|
||||||
|
** _idp-name_ is name of the external IDP at broker
|
||||||
|
** _client-id_ is the value of `IDP Initiated SSO URL Name` attribute of the SAML client defined at broker. It is
|
||||||
|
this client, which will be made available for IDP Initiated Login from the external IDP.
|
||||||
|
|
||||||
|
Please note that you can import basic client settings from the brokering IDP into client settings of the external IDP -
|
||||||
|
just use <<_identity_broker_saml_sp_descriptor,SP Descriptor>> available from the settings of the identity provider in
|
||||||
|
the brokering IDP, and add `clients/_client-id_` to the endpoint URL.
|
||||||
|
|
|
||||||
|
|
@ -60,6 +60,7 @@ This link is an XML document describing metadata about the IDP.
|
||||||
|
|
||||||
You can also import all this configuration data by providing a URL or XML file that points to the entity descriptor of the external SAML IDP you want to connect to.
|
You can also import all this configuration data by providing a URL or XML file that points to the entity descriptor of the external SAML IDP you want to connect to.
|
||||||
|
|
||||||
|
[[_identity_broker_saml_sp_descriptor]]
|
||||||
==== SP Descriptor
|
==== SP Descriptor
|
||||||
|
|
||||||
Once you create a SAML provider, there is an `EXPORT` button that appears when viewing that provider.
|
Once you create a SAML provider, there is an `EXPORT` button that appears when viewing that provider.
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue