[keycloak-user] Stuck configuring IdP broker
Manuel Waltschek
manuel.waltschek at prisma-solutions.at
Thu Feb 28 12:53:49 EST 2019
Dear KC Community,
me and my team are stuck configuring a simple SAML service provider with Keycloak for at least half a year now.
Our use case is a simple SP initiated login and both idp and sp initiated logout. We deploy on wildfly10 and we tried to use the wildfly-saml-adapter only, since keycloak server as a broker forces a first login flow, which we tried to skip. Unfortunately we couldn't get the keycloak login module get triggered and therefore we cannot obtain a login on ejb tier. We made a workaround for this and managed to finally login. After that, we found out, that the logout does not work as expected. HttpRequest.logout() and setting request param to ?GLO=true does not work alone, since we have to combine it to get the logout-request sent to the external idp, but then we keep the session cookie in the sp alive and we cannot process the success message from the idp.
So we finally decided to try out the keycloak server, since we might be missing something. Unfortunately we just can't get it to work.
We are using nginx as a reverse proxy and configured the following:
location ^~ /auth/ {
proxy_pass http://127.0.0.1:8180/auth;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
We also configured standalone.xml of keycloak as follows:
<subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" proxy-address-forwarding="true" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
But we are stuck, since we cannot access the management/admin console of keycloak over the nginx, since it redirects to localhost:8180/auth/admin (we are using a port offset)
Why does it do this? It might be the auth-server-url configuration of the master realm:
{"realm":"master","auth-server-url":"http://localhost:8180/auth","ssl-required":"external","resource":"security-admin-console","public-client":true,"confidential-port":0}
When I access the console over ssh tunnel, the redirect works as expected (to localhost:8181)
But how could we change that confusing behaviour? We really need to login over the proxy, since we need to configure an IDP which redirect-uri binds to the uri of the request in the browser (which is really confusing too).
Please help us, we decided to use keycloak and we really had a lot of trouble with it.
Regards,
[Logo]
Manuel Waltschek BSc.
manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at>
https://www.prisma-solutions.com
PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6418 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190228/90243d3a/attachment.png
More information about the keycloak-user
mailing list