[keycloak-user] authentication provider and login override questions

Bill Burke bburke at redhat.com
Tue Dec 15 11:35:19 EST 2015



On 12/15/2015 8:36 AM, Johan Bos wrote:
> Hi,
>
> I can see KeyCloak allows to define authentications based on SAML protocol.
> My requirements are:
> a set of application/client secured by a KeyCloak server
> role/group defined in Keycloak
> user/pass synchro from ActiveDirectory (optional - surely some mapping
> to retrieve some information)
>
> We need keycloak and like it: for the user management and authentication
> solution it provides to an application, in a simple way.
>
> 1) When an SSO is already in place.
> As the apps we provide sometime, but not always is being integrated in a
> customer env. that already using an SSO solution, I would like to know
> if my understanding is right:
> does the authentication module in keycloak where you can define an SAML
> providers will delegate the SSO/login part to an external solution that
> will handle for him the authentication?
> Possible SSO is: "Ping", it says they are SAML compatible, does it means
> I only need the SSO URL and logout URL to try it?
>

Are you sure you need Keycloak server?  Your best bet, IMO, is to just 
use the already deployed SSO solution if you can't swap it out for 
Keycloak.  Our SAML client adapter should work with that SSO solution.

> 2)  Since keycloak provides for SSO the login pages.
> How do you integrate it with an application (angular/J2ee) that already
> have its own? Without removing it.
>

Keycloak login pages are themable.  You can change their look and feel. 
  You can't reuse an existing app's login pages.


> Do you keep on basic J2EE setup so any client url would be secure, then
> once authorized, the apps will continue to bring up its own login page?
> Does it mean the app should have a filter to implies some auto-connect
> so client side does not try to bring the login and instead consider the
> user connected?
> or does it mean using keycloak.js and follow some angular example where
> upon loading we first make everything from the JS side and make no
> change on the Java Apps?
>

Use keycloak.js with your angular appp.  There are examples that come 
with the distribution that show how to do this.

> 3) I tried to override the login flow, to make my own authenticator. I
> could see multiple way to do it. My requirement is to have a
> supplementary field on the login page, because I need to authenticate
> and validate my username/pass/repo to a REST API that must be access in
> a secured way all the time, prior to give access to my clients/realm.
>
> In order to make this, I ended up providing my own template (ftl) but
> then I could no longer use the login.username in it since the
> createResponse (normal cases) is the only one to take the formDatas and
> load in attributes the LoginBean with it. I was using my-page.ftl so
> could not use the createLogin, instead I was using createForm
> So even when I set the attribute with "login" key based on the
> loginBean, login.username was triggering an error.
>      forms.setAttribute("login", new LoginBean(formData));
>
> So Whatever, I simply used "username" directly and it worked, but I
> don't know to which extend nor why. I have some missing on freemarker
> api and how you compiling it with POJO beans in a Map.
>

I am not following you at all :)


> 3bis) For my suppl. field, I need a dropdown box and freemarker would
> need a collection to loop over. I though I would have to pass a list of
> POJO (to create a dropbox) to the "attributes" that is being used to
> compile my template. In my template, I used "#list", but I could not get
> it to recognize my bean nor loop on it. It always consider it as not
> present.
>
> Here a sample of my authenticator that produce the new login form:
>

I could not reproduce your problem.  I did the following to the 
examples/providers/authenticator example:

* Edit line 42 of SecretQuestionAuthenticator:

         Response challenge = context.form().setAttribute("foo", 
"bar").createForm("secret-question.ftl");


* Edit line 11 of secret-question.ftl

<label for="totp" class="${properties.kcLabelClass!}">What is your mom's 
first name ${foo}</label>

added ${foo} and it prints out fine.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list