Keycloak with Okta IDP Initiated SSO Login

It is possible to set up an IDP Initiated Login for a client from an external IDP.

Well this has been a real adventure.

The Problem

This is what I was trying to achieve:

  1. User logs into Okta.
  2. Gets to Okta app screen.
  3. Clicks on an app link.
  4. App redirects to Keycloak for authentication.
  5. Keycloak redirects automatically to Okta.
  6. Okta sees the user is already logged in.
  7. Redirects back to Keycloak.
  8. Creates SAML assertion.
  9. Redirects back to the app.

Keep in mind that I’m not a SAML expert, therefore this might not be entirely correct.

This is what worked in the end:

  1. Create an app in Okta.
  2. Export Okta metadata.
  3. Create a new Keycloak Identity Provider by using Okta metadata (import a file).
  4. Export Keycloak metadata for the Identity Provider (Identity Provider > okta > Export > Download).
  5. Create a new Keycloak client by using Identity Provider metadata (import a file).
  6. Change Assertion Consumer Service POST Binding URL to your application URL.
  7. Change IDP Initiated SSO Relay State to your application URL.
  8. Set IDP Initiated SSO URL Name to “myapp-saml” (this is what I chose to use).

Application Details

For the sake of simplicity, I’m going to use the following URLs in this article:

  1. Application URL: https://example.com/lisenet
  2. Keycloak URL: https://example.com/auth
  3. Keycloak realm: lisenet
  4. Keycloak Identity Provider alias: okta
  5. IDP Initiated SSO URL Name: myapp-saml

1. Configure Okta App

Create an app in Okta and use details similar to the following (see here):

Single Sign On URL:

root/auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id}

In our case the URL looks like this:

Single Sign On URL: https://example.com/auth/realms/lisenet/broker/okta/endpoint/clients/myapp-saml

Also set the following:

Audience Restriction: https://example.com/auth/realms/lisenet

At this stage the Single Sign On URL is not going to work because we have not configured Keycloak yet. But we already know what the URL will look like.

Download Okta metadata and save it as okta-metadata.xml. Note the Identity Provider SSO URL, it will look something like that (this isn’t a valid URL):

https://lisenet.okta.com/app/lisenetorg203009_lisenet_1/ekkgje4ihwL1QqFSx4u4/sso/saml

That’s how you get to your application.

2. Configure Keycloak Identity Provider

2.1 Authentication Flow

Create a new authentication flow for SAML. Log into Keycloak, navigate to Authentication > New.

Set Alias to SAML_First_Broker. Leave Top level flow type as generic.

Add executions to SAML_First_Broker flow:

  1. Add execution Create User if Unique.
  2. Add execution Automatically Set Existing User.

Set requirements to both the executions to ALTERNATIVE.

2.2 Identity Provider

Navigate to Identity Provider and add a new user-definer SAML 2.0 provider. Set the alias to okta, import metadata from file okta-metadata.xml and verify the Single Sign-On Service URL, it will look something like that (again, this isn’t a valid URL):

https://lisenet.okta.com/app/lisenetorg203009_lisenet_1/ekkgje4ihwL1QqFSx4u4/sso/saml

Set First Login Flow to SAML_First_Broker.

Set NameID Policy Format to Unspecified.

Save changes.

Click on the Export tab and download metadata (Identity Providers > okta > Export > Download), save it as kc-idp-metadata.xml.

3. Configure Keycloak Client

Create a new Keycloak client by using Keycloak’s Identity Provider metadata file kc-idp-metadata.xml.

Navigate to Clients > Create > Import (select metadata). This will populate the client config.

Configure the following, change values if they are already set:

  1. Client ID: https://example.com/auth/realms/lisenet (this should be created automatically)
  2. IDP Initiated SSO URL Name: myapp-saml
  3. IDP Initiated SSO Relay State: https://example.com/lisenet
  4. Assertion Consumer Service POST Binding URL: https://example.com/lisenet

Save changes. After this you can reference your client at the following URL:

https://example.com/auth/realms/lisenet/protocol/saml/clients/myapp-saml

Verify that the application is available. If this does not load the app login screen then you will have to debug. If this works, you can try logging in using Okta IDP Initiated SSO Login.

Note that the Relay State is the URL that users will be directed to after a successful authentication through SAML.

References

https://www.keycloak.org/docs/11.0/server_admin/#idp-initiated-login

http://keycloak-user.88327.x6.nabble.com/keycloak-user-Keycloak-amp-Okta-td2803.html

https://stackoverflow.com/questions/54785427/idp-initiated-sso-using-keycloak

https://issues.redhat.com/browse/KEYCLOAK-5976

https://support.okta.com/help/s/article/Common-SAML-Terms

4 thoughts on “Keycloak with Okta IDP Initiated SSO Login

  1. Hi Tomas , we have followed the above steps and implemented idp intiated sso. But when redirecting back from IDP , Our keycloak is not able to process the saml response it thorws internal server error.

Leave a Reply

Your email address will not be published. Required fields are marked *