Hello there,
Sorry for this novice question, I’m having an hard time trying to do something that should be quite basic, and most doc and articles I can find online are AI written stuff that is not helping, so I assumed I might as well ask.
I have a .NET ASP.net web app hosted under kubernetes. I want to add support to log users from external domains using SSO login to my app. Keycloak seems like a perfect candidate. I do not want to use keycloak as a provider for multiple apps, only my public facing web app.
I installed it, added my app as a OIDC client in keycloak, managed to configure dotnet to point to it when requesting a challenge, and it actually works great! It redirect to keycloak, I log in with a temporary user I manually created in the keycloak service, it redirect to my app with the proper credentials.
Now I need to configure keycloak to be able to use users from external providers.
To be clear, I don’t want keycloak to provide users to external providers (which is what most online articles seems to be about), so I do not want to add a SAML client in keycloak right? I want external users to be accepted in my keycloak instance, so I want to add a new SAML “Identity provider” in keycloak right?
My first test is with the IT guys from my corporation, we want to use our SAML provider to use our local domain users in my web app. They are using “Watchguard” as the authority service, and successfully integrated easily with other SAML services like Miro and Atlassian and such.
They gave me a SAML Metadata XAML URL, which I added as a id provider in keycloak successfully.
Now apparently, usually they also need to add a resource on their side to represent my app. With two required fields: Service Provider Identifier, and Assertion Consumer Service.
From the Keycloak IdProv entry I created, there’s a SAML metadata link and one of the entry in the xml is <md:AssertionConsumerService. So I assume that’s it. It looks like https://domain.com/realms/master/broker/idprovname/endpoint
Unfortunately that does not work. When I use keycloak, I see the button to use that provider, and it redirect to their login page, with a “Service provider not found.” message. If I try to log in anyway, it then redirect to their webpage with a list of services their id prov is connected to instead of directly redirecting to keycloak. One of them is keycloak, but if I click the button it then go back to keycloak to the url above (endpoint) with a “unexpected error” message.
I’m probably just missing something very obvious, but I’m kinda stuck now and don’t know how to progress.
On a separate question. Does all external providers you add just appear as a “sign with” button at the bottom of the keycloak login page? That’s not desirable. Most app just have a “sign with SSO” and use the e-mail domain to determine which provider to use, or maybe check them all. I would not want to configure like 10 different corporate providers and the people from corporations A see the button for corporation B? Isn’t it possible to just hide that button step and just use the email/password directly?
