KEYCLOAK-3731 Identity broker IDP-initiated SSO
This commit is contained in:
parent
f9a63dde80
commit
af9686e06a
2 changed files with 21 additions and 0 deletions
|
@ -10,3 +10,23 @@ If your client requires a special relay state, you can also configure this on th
|
|||
Alternatively, browsers can specify the relay state in a `RelayState` query parameter, i.e.
|
||||
`root/auth/realms/{realm}/protocol/saml/clients/{url-name}?RelayState=thestate`.
|
||||
|
||||
When using <<_identity_broker,identity brokering>>, it is possible to set up an IDP Initiated Login for a client from an
|
||||
external IDP. The actual client is set up for IDP Initiated Login at broker IDP as described above. The external IDP has
|
||||
to set up the client for application IDP Initiated Login that will point to a special URL pointing to the broker and
|
||||
representing IDP Initiated Login endpoint for a selected client at the brokering IDP. This means that in client settings
|
||||
at the external IDP:
|
||||
|
||||
* `IDP Initiated SSO URL Name` is set to a name that will be published as IDP Initiated Login initial point,
|
||||
* `Assertion Consumer Service POST Binding URL` in the `Fine Grain SAML Endpoint Configuration` section has
|
||||
to be set to the following URL:
|
||||
`broker-root/auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id}`, where:
|
||||
|
||||
** _broker-root_ is base broker URL
|
||||
** _broker-realm_ is name of the realm at broker where external IDP is declared
|
||||
** _idp-name_ is name of the external IDP at broker
|
||||
** _client-id_ is the value of `IDP Initiated SSO URL Name` attribute of the SAML client defined at broker. It is
|
||||
this client, which will be made available for IDP Initiated Login from the external IDP.
|
||||
|
||||
Please note that you can import basic client settings from the brokering IDP into client settings of the external IDP -
|
||||
just use <<_identity_broker_saml_sp_descriptor,SP Descriptor>> available from the settings of the identity provider in
|
||||
the brokering IDP, and add `clients/_client-id_` to the endpoint URL.
|
||||
|
|
|
@ -60,6 +60,7 @@ This link is an XML document describing metadata about the IDP.
|
|||
|
||||
You can also import all this configuration data by providing a URL or XML file that points to the entity descriptor of the external SAML IDP you want to connect to.
|
||||
|
||||
[[_identity_broker_saml_sp_descriptor]]
|
||||
==== SP Descriptor
|
||||
|
||||
Once you create a SAML provider, there is an `EXPORT` button that appears when viewing that provider.
|
||||
|
|
Loading…
Reference in a new issue