Bonita Entreprise & SSO, is it possible to have multiple EntityID in the Keycloack file ?

Hello,

For a project, we try to have to ways to access the bonita platform.

One is with an internal link (let say https://link.internal.web DNS) and one with an internet  link (let says https//external.mysite.com).

So we setup eerything in order to achieve that, and without SSO, it's working. Yet, now, we try to activate SSO (Azure one).

On the SSO side, for one given EntityID, there can be only "go back" url. In this case, we have set it up so that we have the https//external.mysite.com/bonita/saml url.

But in this case, we loose the capacity to be redirected to internal link when coming from internal connection.

So the question I have is the following: Is it possible, in the keycloack-saml.xml file to have two <SP entityID=""> entries ? So that we can have one with <SP entityID="InternalLink"> part, and associated keys, and one with <SP entityID="externalLink"> part, and associated keys. And then declare two configurations on Azure side

Or any other setup that could do the job that we have Bonita sending back the user on the correct URL depending of its origin.

Thanks.

Hello,
From what I see in Keycloak documentation and XSD, it doesn't seem that you can have several SP nodes (and so severalEndityID) in keycloack-saml.xml.
Maybe one way to achieve this could be to have a reverse proxy that rewrite all the external URL requests to the internal one ? This way, SAML-side only the internal URL are known. Personally I would try to go with this solution.
HTH

Hi Xavier,

you may consider to use your keycloack IDP as a central point to check users identity, and as @anthony said, consider to use a reverse proxy to split internal/external users authent redirect