[keycloak-user] R: R: Need to log in to all realms with unique admin users

Mattia Bello Mattia.Bello at horsa.it
Tue Oct 30 13:44:47 EDT 2018


Dmitrij,
          I'm continuing the tests to evaluate the solution, I have a question:

I used identity broker mappers to assign special roles to users from the realm master.

However, on the realm master, I have two types of users, technicians and external technicians.
Is it possible to choose a different role based on the fact that the user belongs to a different group (technical group and external technicians)?
I tried using the External Role to Role mapper type but I do not understand how to do it.
Obviously, using the mapper type hardcoded role I can create roles for users, but I can not distinguish the two different types.

Thanks for the help :)

Mattia Bello
Developer


Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile  (+39) 340 36 07 937
www.horsa.it

________________________________________
Da: Mattia Bello
Inviato: martedì 30 ottobre 2018 13.20
A: Dmitry Telegin; keycloak-user at lists.jboss.org
Oggetto: R: R: [keycloak-user] Need to log in to all realms with unique admin users

Dmitrij,
           thanks for your detailed explanations, I followed them and managed to use the broker.
However, I could not use "Automatically Link Brokered Account". I did not understand what I have to do to enable it.

First of all I increased the version of the project dependency and the keycloak server to version 4.5.0, so as to have all the features available.

Here are my doubts after having said this solution:

1. If you are logged in to the realm master, via the admin console site, when you click on the broker's link, to login the client application with a realm master user, the realm master login is not displayed, because it is used account that is logged in at that time.
This implies the limitation of NOT using simultaneously the admin console site and the client application.

2. After logging in, using the broker's link on the client application, if I try to log out, the latter is done on the client application but if I log in to the admin console site it detects my last login. It is as if NOT logged out by all clinets (client application and site admin console)

3. Once logged in, using the broker's link on the client application, the user is duplicated from the realm master to the client application realm. So, I have a question: For the next accesses, will I always have to use the link or will I have to insert only username and password in the client application login form? Any changes to the user on the realm master will be automatically propagated on the duplicates of the other realms? In which cases, only when the broker link is used?

4. Is there not a way to share only the users' databases, without having to have fifteen duplications on the realms other than the master one? For example, as a User Federation.

5. Are there any other possible solutions? Or do you have any suggestion to propose?

Thank you

Mattia Bello
Developer


Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile  (+39) 340 36 07 937
www.horsa.it

________________________________________
Da: Dmitry Telegin [dt at acutus.pro]
Inviato: martedì 30 ottobre 2018 5.18
A: Mattia Bello; keycloak-user at lists.jboss.org
Oggetto: Re: R: [keycloak-user] Need to log in to all realms with unique admin users

Ciao Mattia,

Let's assume your realm (non-master) is named "foo". Here are the steps:

1. In admin console, go to master realm -> clients -> broker -> Credentials, copy the secret;
2. go to foo realm -> Identity Providers, add Keycloak OpenID Connect provider, give it an alias (like "master");
3. set Client ID to "broker" (w/o quotes) and paste the Client Secret;
4. scroll down to "Import from URL", paste the following:
 https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fmaster%2F.well-known%2Fopenid-configuration&e=ab6f9afd&h=c3f38a73&f=n&p=y
and click Import. The necessary fields will be filled in automatically;
5. scroll up, copy Redirect URI (should be like  https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Ffoo%2Fbroker%2Fmaster%2Fendpoint&e=ab6f9afd&h=a808b335&f=n&p=y );
6. go to master realm -> clients -> broker, paste the URI to "Valid Redirect URIs", click save.

After that, your users will be able authenticate on non-master realms via the master realm. Upon the first successful login, the user will be presented with the Update Account Information form. If you want to bypass that, you can enable identity auto-linking.

For Keycloak 4.5.0, it's out of the box - just use "Automatically Link Brokered Account" authenticator in your first broker login flow.
For Kyecloak <4.5.0, you can use this:  https://urlsand.esvalabs.com/?u=https%3A%2F%2Fgithub.com%2Fohioit%2Fkeycloak-link-idp-with-user&e=ab6f9afd&h=7b6ed02e&f=n&p=y

Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-10-29 at 15:09 +0000, Mattia Bello wrote:
> Dmitry,
> >            i found that information in master realm settings ->>
OpenID Endpoint Configuration link:
>
> > {"issuer":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fau&e=ab6f9afd&h=281bedc7&f=n&p=y
th/realms/master",
> > "authorization_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2F&e=ab6f9afd&h=0303bb2c&f=n&p=y
realms/master/protocol/openid-connect/auth",
> > "token_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flo&e=ab6f9afd&h=b4432751&f=n&p=y
calhost:8180/auth/realms/master/protocol/openid-connect/token",
> > > "token_i
ntrospection_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fmaster%2Fprotoc&e=ab6f9afd&h=407cd3ce&f=n&p=y
ol/openid-connect/token/introspect",
> > "userinfo_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalho&e=ab6f9afd&h=464e7f61&f=n&p=y
st:8180/auth/realms/master/protocol/openid-connect/userinfo",
> > > "end_sessi
on_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fmaster%2Fprotocol%2Fopenid-&e=ab6f9afd&h=baeeb57e&f=n&p=y
connect/logout",
> > "jwks_uri":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fmaster%2Fpr&e=ab6f9afd&h=e1fe7b3f&f=n&p=y
otocol/openid-connect/certs",
> > > "check_session_iframe":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8&e=ab6f9afd&h=eb373c93&f=n&p=y
180/auth/realms/master/protocol/openid-connect/login-status-
iframe.html",
> > "grant_types_supported":["authorization_code", "implicit",>
"refresh_token", "password", "client_credentials"],
> > > "response_types_supp
orted":["code","none","id_token","token","id_token token","code>
id_token","code token","code id_token token"],
> > "subject_types_supported"
:["public","pairwise"],
> > "id_token_signing_alg_values_supported":["RS256"
],
> "userinfo_signing_alg_values_supported":["RS256"],
> > "request_object_sig
ning_alg_values_supported":["none","RS256"],
> > "response_modes_supported":
["query","fragment","form_post"],
> > "registration_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalh&e=ab6f9afd&h=057ec6ac&f=n&p=y
ost:8180/auth/realms/master/clients-registrations/openid-connect",
> > > "toke
n_endpoint_auth_methods_supported":["private_key_jwt","client_secret_ba
sic", "client_secret_post","client_secret_jwt"],
> > "token_endpoint_auth_si
gning_alg_values_supported":["RS256"],
> > "claims_supported":["sub","iss","
auth_time","name","given_name",
> > "family_name","preferred_username","emai
l"],
> > "claim_types_supported":["normal"],"claims_parameter_supported":fal
se,
> > "scopes_supported":["openid","address","email","offline_access","pho
ne","profile"],
> "request_parameter_supported":true,
> > "request_uri_paramete
r_supported":true,
> "code_challenge_methods_supported":["plain","S256"],
> > "
tls_client_certificate_bound_access_tokens":true
> }
>
> > I used it to compile>
the form, as you can see from the image attached.
>
> > But, when i click on>
the TECNICO link inl ogin form, the keycloak page return this message:
>
> We're sorry...
> Invalid parameter: redirect_uri
>
> « Back to Application
>
> > and>
server logs are:
>
> > > > > 15:57:09,193 WARN  [ https://urlsand.esvalabs.com/?u=http%3A%2F%2Forg.keycloak.events&e=ab6f9afd&h=b66b85f6&f=n&p=y ] (default>
task-21) type=LOGIN_ERROR, realmId=master, clientId=risolvo-app,>
userId=null, ipAddress=127.0.0.1, error=invalid_redirect_uri,>
redirect_uri= https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fdefault%2Fbroker%2Fmaster-&e=ab6f9afd&h=98b9caf8&f=n&p=y
oidc/endpoint
>
> What am i doing wrong?
>
> Thank you
>
> Inviato da Posta per Windows 10
>
> Da: Dmitry Telegin
> Inviato: venerdì 26 ottobre 2018 03:29
> A: Mattia Bello; keycloak-user at lists.jboss.org
> Oggetto: Re: [keycloak-user] Need to log in to all realms with unique admin users
>
> Mattia,
>
> Thanks for your explanation, the problem is clear now.
>
> I think you can solve it with the help of identity brokering [1]. For each non-master realm, you will have to configure brokering to master. After that, a badge will appear on the login screen, and after clicking it your users will be able to authenticate with their master realm credentials.
>
> If you're ok with this additional step, this could be an easy solution.
>
> [1]  https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fserver_admin%2Findex.html%23_identity_broker&e=ab6f9afd&h=59fe2eca&f=n&p=y
>
> Dmitry
>
> On Thu, 2018-10-25 at 21:01 +0000, Mattia Bello wrote:
> > Sorry,
> > I probably did not explain well.
> > I have a client application that is accessible from all realms.
> > I would like with a realm master user to be able to access the client application of each realm, without creating users on each realm.
> > I tried this but when I log in to the client application with the user created in the realm master the log in fails because it says that the user does not exist.
> > Reading the documentation it is explained that the users created in the realm master are used to manage the realm as admin, so you can create new realm and users and groups within the various realms, but it is not specified that with this user you can access a client application defined in realms.
> > Is it possible to access to clients of the various realms with the realm master users, without duplicating them in every realm, or not?
> > Thank you
> >
> > Get Outlook for Android
> >
> >
> >
> >
> > On Thu, Oct 25, 2018 at 10:07 PM +0200, "Dmitry Telegin" <dt at acutus.pro> wrote:
> >
> > > Hello Mattia, answers inline,
> > >
> > > On Thu, 2018-10-25 at 13:34 +0000, Mattia Bello wrote:
> > > > We have this situation:
> > > > 
> > > > master realm -> used to manage other realms
> > > > 
> > > > realm1, realm2, realm3, .. -> are retailers and contain companies
> > > > 
> > > > for each realm we have group1, group2, group3, .. -> are companies and contain a group of users
> > > > 
> > > > we have to see all the retailers (realms), the companies (groups) and the users
> > > > 
> > > > How can I do it?
> > > > 
> > > > Can i create a master realm user and use it to access all the other realms?
> > >
> > > Yes you can. In fact, there is already such a user - it's admin that
> > > you've created on the first run. If you want more users with such an
> > > access in master realm, grant them "admin" realm role. If you look into
> > > "admin" role details, you'll see that it automatically includes all the
> > > client roles of *-realm clients, that's how it works under the hood.
> > >
> > > If you don't want to grant that powerful admin role, go to user -> Role
> > > mappings and assign the necessary client roles from the *-realm
> > > clients. The user will get access to the admin functions for that realm(s).
> > >
> > > > 
> > > > Or i have to replicate the admin user in master realm into all other realm to use it to log in in that realm?
> > >
> > > This is possible too. Create a user in the target realm, go to Role
> > > mappings and assign the necessary roles from the realm-management
> > > client.
> > >
> > > Good luck,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > > 
> > > > Thank to all
> > > > 
> > > > 
> > > > 
> > > > Mattia Bello
> > > > Developer
> > > > 
> > > > > > > > [Descrizione: cid:image001.jpg at 01CEB308.188717E0]
> > > > Horsa S.p.A.
> > > > Via Cadorna, 67
> > > > Vimodrone (MI)
> > > > Mobile  (+39) 340 36 07 937
> > > >  https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it&e=ab6f9afd&h=772f26c6&f=n&p=y <https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it%2F&e=ab6f9afd&h=af419ba9&f=n&p=y>;
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > >  https://urlsand.esvalabs.com/?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&e=ab6f9afd&h=a4102473&f=n&p=y
> > >
>



More information about the keycloak-user mailing list