[keycloak-user] Force Keycloak to use external IdP as authentication mechanism
Jason B
jason at naidmincloud.com
Mon Feb 20 09:49:57 EST 2017
Configuring a Default Identity Provider helped up to some extent.
Thanks!
On Thu, Feb 16, 2017 at 3:51 AM, Adam Keily <adam.keily at adelaide.edu.au>
wrote:
> It probably depends on how many IdP's you want to support. If you only
> have one, you can enable the setting in the IdP configuration for
> 'Authenticate by Default'. This will bypass the local login.
>
> You'll need to modify / copy the first broker login auth flow to create
> the user upon successful auth. Otherwise you'll get a failed login.
>
> Probably doesn't answer all your questions but hope it helps.
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] On Behalf Of Jason B
> Sent: Wednesday, 15 February 2017 8:18 PM
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] Force Keycloak to use external IdP as
> authentication mechanism
>
> We have a requirement to disable local login (username/password) and allow
> login through IdPs configured in Identity broker.
> To test this scenario I have configured Salesforce as SP and Keycloak as
> IDP. And in IdP (keycloak) disabled "Forms" based login and configured an
> external IdP as identity broker.
> But this configuration resulting in "Invalid username or password." error
> in keycloak. In logs I observed following stack trace.
>
> 01:36:06,532 WARN [org.keycloak.services] (default task-40)
> KC-SERVICES0013: Failed authentication:
> org.keycloak.authentication.AuthenticationFlowException
> at
> org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(
> AuthenticationProcessor.java:795)
> at
> org.keycloak.authentication.AuthenticationProcessor.authenticate(
> AuthenticationProcessor.java:667)
> at
> org.keycloak.protocol.AuthorizationEndpointBase.
> handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
> at
> org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(
> SamlService.java:527)
> at
> org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(
> SamlService.java:523)
> at
> org.keycloak.protocol.saml.SamlService$BindingProtocol.
> loginRequest(SamlService.java:310)
> at
> org.keycloak.protocol.saml.SamlService$BindingProtocol.
> handleSamlRequest(SamlService.java:221)
> at
> org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.
> execute(SamlService.java:514)
> at
> org.keycloak.protocol.saml.SamlService.redirectBinding(
> SamlService.java:536)
> at sun.reflect.GeneratedMethodAccessor686.invoke(Unknown Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> ResourceMethodInvoker.java:249)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:138)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:101)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:395)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:202)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
> service(ServletContainerDispatcher.java:221)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
> HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
> HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
> KeycloakSessionServletFilter.java:90)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHand
> ler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandl
> er.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
> er.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
> ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
> ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(
> NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssocia
> tionHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
> ServletInitialHandler.java:284)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:263)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
> ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.
> java:202)
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
>
> 01:36:06,532 WARN [org.keycloak.events] (default task-40)
> type=LOGIN_ERROR, realmId=salesforce, clientId=https://saml.salesforce.com
> ,
> userId=null, ipAddress=10.0.2.2, error=invalid_user_credentials,
> auth_method=saml, redirect_uri= https://jason-dev-ed.my.salesforce.com?so=
> 00D62000005vWGB,
> code_id=96d4d981-decd-47ed-ae08-09dfa5c6d6f4
>
>
> Any idea how to disable the username/password prompt during the login and
> force keycloak to use configured identity brokers?
>
> Also, in case I have multiple external IdPs configured as identity brokers
> in my keycloak instance is there any way to inform keycloak to use
> particular external IdP (broker). I know we can use kc_idp_hint parameter.
> This will be helpful during IdP initiated sso but in case it is a SP
> initiated SSO, how can we specify the default external IdP?
>
> Thanks!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list