Keycloak with Initiated SSO Login for Okta IDP Linux Security Linux Security



It’s attainable to arrange an IDP Initiated Login for a consumer from an exterior IDP.

Nicely this has been an actual journey.

The Drawback

That is what I used to be attempting to realize:

  1. Consumer logs into Okta.
  2. Will get to Okta app display screen.
  3. Clicks on an app hyperlink.
  4. App redirects to Keycloak for authentication.
  5. Keycloak redirects routinely to Okta.
  6. Okta sees the person is already logged in.
  7. Redirects again to Keycloak.
  8. Creates SAML assertion.
  9. Redirects again to the app.

Take into account that I’m not a SAML skilled, subsequently this may not be completely right.

That is what labored ultimately:

  1. Create an app in Okta.
  2. Export Okta metadata.
  3. Create a brand new Keycloak Id Supplier by utilizing Okta metadata (import a file).
  4. Export Keycloak metadata for the Id Supplier (Id Supplier > okta > Export > Obtain).
  5. Create a brand new Keycloak consumer by utilizing Id Supplier metadata (import a file).
  6. Change Assertion Client Service POST Binding URL to your utility URL.
  7. Change IDP Initiated SSO Relay State to your utility URL.
  8. Set IDP Initiated SSO URL Identify to “myapp-saml” (that is what I selected to make use of).

Utility Particulars

For the sake of simplicity, I’m going to make use of the next URLs on this article:

  1. Utility URL:
  2. Keycloak URL:
  3. Keycloak realm: lisenet
  4. Keycloak Id Supplier alias: okta
  5. IDP Initiated SSO URL Identify: myapp-saml

1. Configure Okta App

Create an app in Okta and use particulars just like the next (see right here):

Single Signal On URL:


In our case the URL seems like this:

Single Signal On URL:

Additionally set the next:

Viewers Restriction:

At this stage the Single Signal On URL will not be going to work as a result of now we have not configured Keycloak but. However we already know what the URL will appear to be.

Obtain Okta metadata and put it aside as okta-metadata.xml. Observe the Id Supplier SSO URL, it’s going to look one thing like that (this isn’t a sound URL):

That’s the way you get to your utility.

2. Configure Keycloak Id Supplier

2.1 Authentication Stream

Create a brand new authentication circulation for SAML. Log into Keycloak, navigate to Authentication > New.

Set Alias to SAML_First_Broker. Depart Prime stage circulation sort as generic.

Add executions to SAML_First_Broker circulation:

  1. Add execution Create Consumer if Distinctive.
  2. Add execution Routinely Set Current Consumer.

Set necessities to each the executions to ALTERNATIVE.

Keycloak with Initiated SSO Login for Okta IDP Linux Security Linux Security

2.2 Id Supplier

Navigate to Id Supplier and add a brand new user-definer SAML 2.Zero supplier. Set the alias to okta, import metadata from file okta-metadata.xml and confirm the Single Signal-On Service URL, it’s going to look one thing like that (once more, this isn’t a sound URL):

Set First Login Stream to SAML_First_Broker.

Set NameID Coverage Format to Unspecified.

Save modifications.

Click on on the Export tab and obtain metadata (Id Suppliers > okta > Export > Obtain), put it aside as kc-idp-metadata.xml.

3. Configure Keycloak Shopper

Create a brand new Keycloak consumer by utilizing Keycloak’s Id Supplier metadata file kc-idp-metadata.xml.

Navigate to Shoppers > Create > Import (choose metadata). It will populate the consumer config.

Configure the next, change values if they’re already set:

  1. Shopper ID: (this ought to be created routinely)
  2. IDP Initiated SSO URL Identify: myapp-saml
  3. IDP Initiated SSO Relay State:
  4. Assertion Client Service POST Binding URL:

Save modifications. After this you possibly can reference your consumer on the following URL:

Confirm that the appliance is on the market. If this doesn’t load the app login display screen then you’ll have to debug. If this works, you possibly can strive logging in utilizing Okta IDP Initiated SSO Login.

Observe that the Relay State is the URL that customers can be directed to after a profitable authentication by means of SAML.


wildfly saml sso,picketlink,okta 404 page not found,okta login page not loading,okta developer console login,okta 400 error,okta redirect url after login,okta 400 bad saml request,aws saml federation step by step,aws iam integration with okta,aws control tower okta-integration,aws sso ldap,cognito active directory,laravel sso miniorange,how to fix saml error,blackboard saml,invalid saml token aem,saml assertion signature is invalid,adfs saml response example,install saml message decoder,php saml sso example,php sso active directory,phpipam saml,php single sign-on multiple domains,lightsaml,single sign on php codeigniter,okta single sign on not working,saml,okta authorization-code/callback 404,okta implicit/callback 404

Latest Posts