[keycloak-user] Force Keycloak to use external IdP as authentication mechanism

Mark Pardijs mark.pardijs at topicus.nl
Wed Feb 15 08:11:49 EST 2017 

Maybe this helps: in the Browser authentication flow you can configure a Default Identity Provider in the Identity Provider Redirector execution.


Op 15 feb. 2017, om 10:47 heeft Jason B <jason at naidmincloud.com<mailto:jason at naidmincloud.com>> het volgende geschreven:

We have a requirement to disable local login (username/password) and allow
login through IdPs configured in Identity broker.
To test this scenario I have configured Salesforce as SP and Keycloak as
IDP. And in IdP (keycloak) disabled "Forms" based login and configured an
external IdP as identity broker.
But this configuration resulting in "Invalid username or password." error
in keycloak. In logs I observed following stack trace.

01:36:06,532 WARN  [org.keycloak.services] (default task-40)
KC-SERVICES0013: Failed authentication:
org.keycloak.authentication.AuthenticationFlowException
   at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:795)
   at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)
   at
org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
   at
org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:527)
   at
org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:523)
   at
org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:310)
   at
org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:221)
   at
org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.execute(SamlService.java:514)
   at
org.keycloak.protocol.saml.SamlService.redirectBinding(SamlService.java:536)
   at sun.reflect.GeneratedMethodAccessor686.invoke(Unknown Source)
   at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:498)
   at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
   at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
   at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
   at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
   at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
   at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
   at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
   at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
   at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
   at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
   at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
   at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
   at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
   at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
   at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
   at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
   at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
   at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
   at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
   at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
   at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
   at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
   at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
   at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
   at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
   at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
   at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
   at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
   at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
   at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
   at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
   at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
   at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
   at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
   at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
   at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
   at java.lang.Thread.run(Thread.java:745)

01:36:06,532 WARN  [org.keycloak.events] (default task-40)
type=LOGIN_ERROR, realmId=salesforce, clientId=https://saml.salesforce.com,
userId=null, ipAddress=10.0.2.2, error=invalid_user_credentials,
auth_method=saml, redirect_uri=
https://jason-dev-ed.my.salesforce.com?so=00D62000005vWGB,
code_id=96d4d981-decd-47ed-ae08-09dfa5c6d6f4


Any idea how to disable the username/password prompt during the login and
force keycloak to use configured identity brokers?

Also, in case I have multiple external IdPs configured as identity brokers
in my keycloak instance is there any way to inform keycloak to use
particular external IdP (broker). I know we can use kc_idp_hint parameter.
This will be helpful during IdP initiated sso but in case it is a SP
initiated SSO, how can we specify the default external IdP?

Thanks!
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list