[keycloak-user] Keycloak Identity provider SAML LogoutRequest not working with NetIQ Access Manager because it is not signed?
Hans Zandbelt
hans.zandbelt at zmartzone.eu
Mon Jan 28 15:29:23 EST 2019
with corrected subject now
On Mon, Jan 28, 2019 at 9:27 PM Hans Zandbelt <hans.zandbelt at zmartzone.eu>
wrote:
> Hey Ed,
>
> Ouch, bad NetIQ :-( apparently it considers the signature on the request
> as something unexpected, which it really shouldn't...
> However, you should be able to configure the signing certificate of
> Keycloak on the NetIQ side (which you needed to do anyway for the
> validation of the Logout requests) and make it "require" or "expect" signed
> authentication requests from the Keycloak SP.
>
> Hans.
>
> On Mon, Jan 28, 2019 at 9:11 PM <keycloak-user-request at lists.jboss.org>
> wrote:
>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Mon, 28 Jan 2019 16:16:20 +0000
>> From: "Edgar Vonk - Info.nl" <Edgar at info.nl>
>> Subject: Re: [keycloak-user] Keycloak Identity provider SAML
>> LogoutRequest not working with NetIQ Access Manager because it is
>> not
>> signed?
>> To: keycloak-user <keycloak-user at lists.jboss.org>
>> Message-ID: <B72F6570-E06C-4292-969D-0B0359230CA4 at info.nl>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Thanks Hans! :-)
>>
>> Unfortunately with "Want AuthnRequests Signed? enabled we can no longer
>> log in to the external IdP.. I will check with the NetIQ provider people to
>> check.
>>
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Mon, 28 Jan 2019 14:51:26 -0200
>> From: Wagner <wagnerspi at gmail.com>
>> Subject: [keycloak-user] Keycloak integration with django
>> To: keycloak-user at lists.jboss.org
>> Message-ID:
>> <CAO0ino=
>> wK-opo1H7cc4XgH5U012jN2eCUvvE8_6qoFv+ZKQ5MA at mail.gmail.com>
>> Content-Type: text/plain; charset="UTF-8"
>>
>> Hi there,
>>
>> I've been looking for ways to integrate keycloak with django, and have
>> found the django-keycloak project, but the docs are kind of limited.
>>
>> Can anyone point me in the direction of integrating it with an existing
>> django project? I don't want to use the django admin web interface to
>> configure it, but haven't found any other way to do so.
>>
>> Thanks,
>> Wagner
>>
>>
>> ------------------------------
>>
>> Message: 5
>> Date: Mon, 28 Jan 2019 13:04:58 -0500
>> From: Nhut Thai Le <ntle at castortech.com>
>> Subject: [keycloak-user] OsgiJaxrsBearerTokenFilterImpl init resolver
>> class on every request
>> To: keycloak-user <keycloak-user at lists.jboss.org>
>> Message-ID:
>> <CAJVRZt9SmNO0jmt9jAFMB9eD+ZMSjJij+=EO1j7F=
>> iE6nGV0JQ at mail.gmail.com>
>> Content-Type: text/plain; charset="UTF-8"
>>
>> Hello,
>>
>> We are using OsgiJaxrsBearerTokenFilterImpl of keycloak 4.6 in our OSGI
>> env
>> to filter requests to our REST service as follow:
>>
>> @Component(
>> service = {
>> ContainerRequestFilter.class,
>> ContainerResponseFilter.class
>> },
>> scope = ServiceScope.PROTOTYPE,
>> property = {
>> "osgi.jaxrs.extension=true",
>> JAX_RS_NAME + "=DiagramRestFilter",
>> DiagramConstants.REST_APP_SELECT
>> }
>> )
>> @PreMatching
>> @Priority(Priorities.AUTHENTICATION)
>> public final class DiagramRestFilter extends
>> OsgiJaxrsBearerTokenFilterImpl
>> implements ContainerResponseFilter {
>> private static final String REFERER_HEADER = "Referer"; //$NON-NLS-1$
>> private static final String UTF_8_CHARSET = "UTF-8"; //$NON-NLS-1$
>> private final Logger log = LoggerFactory.getLogger(getClass());
>>
>> @Reference
>> private SessionService sessionService;
>>
>> @Activate
>> public void activate(BundleContext bundleContext) {
>> log.trace("Activating {}", getClass()); //$NON-NLS-1$
>>
>> setKeycloakConfigResolverClass("com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver");
>> //$NON-NLS-1$
>> setBundleContext(bundleContext);
>> }
>>
>> As you can see, we set the filter scope to Prototype as recommended by
>> OSGI
>> compedium (
>>
>> https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#d0e133685
>> )
>> but we see a lot of the following line got printed when the server started
>> INFO: Using
>>
>> com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver at 738e48f7
>> to resolve Keycloak configuration on a per-request basis.
>>
>> Does that means the config resolver is being instantiate for each request
>> ?
>> Since the the configuration never change, would it make sense to
>> instantiate this config resolver only once?
>>
>> Thai Le
>>
>>
>> ------------------------------
>>
>> Message: 6
>> Date: Mon, 28 Jan 2019 21:00:02 +0100
>> From: Marek Posolda <mposolda at redhat.com>
>> Subject: Re: [keycloak-user] User sessions in DB
>> To: Lukasz Lech <l.lech at ringler.ch>, "keycloak-user at lists.jboss.org"
>> <keycloak-user at lists.jboss.org>
>> Message-ID: <1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01 at redhat.com>
>> Content-Type: text/plain; charset=utf-8; format=flowed
>>
>> On 28/01/2019 16:30, Lukasz Lech wrote:
>> > Hello,
>> >
>> > I'm using Keycloak docker image for 4.8.1
>> >
>> > I have logged in users, but in DB, I see no entries in user_session.
>> That is expected. The USER_SESSION table is probably something like a
>> tombstone of some previous implementation. User sessions are not saved
>> in the DB.
>> >
>> > Additionally, after some time server run, I've got NPE in
>> RealmAdminResource.getClientSessionStats:614 when trying to navigate to
>> Sessions position in Menu in Admin Console.
>>
>> Looks like a bug. Feel free to create JIRA (with stacktrace and ideally
>> exact steps to reproduce).
>>
>> Thanks,
>> Marek
>>
>> >
>> > Are there any issues with JPA cache?
>> >
>> > Best regards,
>> > Lukasz Lech
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> ------------------------------
>>
>> Message: 7
>> Date: Mon, 28 Jan 2019 21:07:05 +0100
>> From: Marek Posolda <mposolda at redhat.com>
>> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
>> not in Active Directory domain
>> To: Dmitry Telegin <dt at acutus.pro>, Chris Smith
>> <chris.smith at cmfirstgroup.com>, "keycloak-user at lists.jboss.org"
>> <keycloak-user at lists.jboss.org>
>> Message-ID: <8eb89cb9-f64f-c9c9-a681-4f2a775eaf67 at redhat.com>
>> Content-Type: text/plain; charset=utf-8; format=flowed
>>
>> +1
>>
>> GSSCredential is used just during SPNEGO authentication. You may
>> possibly change the built-in authentication flows or userStorage
>> provider, so that after verification with username/password, the
>> GSSCredential will be somehow obtained from the JAAS Subject used for
>> the authentication (See class KerberosUsernamePasswordAuthenticator for
>> the details).
>>
>> However I am not sure if this is really possible and it will require
>> some more deep-dive into the Keycloak codebase and Kerberos
>> implementation in JDK... Just a hint...
>>
>> Marek
>>
>> On 28/01/2019 07:21, Dmitry Telegin wrote:
>> > Hello Chris,
>> >
>> > AFAIK GSSCredential is something very specific to Kerberos, so I'm not
>> sure it's possible at all to obtain it outside of Kerberos context, like
>> e.g. via pure LDAP authentication.
>> >
>> > Cheers,
>> > Dmitry
>> >
>> > On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
>> >> Does anyone have feedback about getting a delegated GSSCredential?
>> >>
>> >> -----Original Message-----
>> >>> From: keycloak-user-bounces at lists.jboss.org <
>> keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
>> >> Sent: Wednesday, January 23, 2019 10:12 PM
>> >> To: keycloak-user at lists.jboss.org
>> >> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
>> not in Active Directory domain
>> >>
>> >> Here is a Diagram of what I'm trying to do
>> >>
>> >> From: Chris Smith
>> >> Sent: Wednesday, January 23, 2019 8:08 AM
>> >>>> To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
>> >> Subject: Get a GSSCredential when user browser is not in Active
>> Directory domain
>> >>
>> >> I have setup my servlet to authenticate a user my web app using
>> Keycloak Active Directory ldap user federation
>> >>
>> >> I can get a Delegated GSSCredential when the SPNEGO enabled
>> browser??runs on a workstation in the AD domain.
>> >> When the browser workstation is not a member of the AD Domain,
>> Keycloak will authenticate the user id and password entered on the keycloak
>> login page, but there will not be a Delegated GSSCredential in the Access
>> Token in my servlet.
>> >>
>> >> I have a requirement to use the GSSCredential to call programs on an
>> IBM i (AS/400) and JDBC to the IBM i.??My IBM i is configured to accept a
>> Kerberos Ticket from Active Directory as an authenticated credential (aka
>> EIM, Enterprise Identity Mapping).
>> >>
>> >> Less than 1% of the users will be using browsers on workstations in
>> the Active Directory domain.
>> >>
>> >> Can Keycloak put a GSSCredential for the logged in user??in the Access
>> Token when SPNEGO is not available from the browser?
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> End of keycloak-user Digest, Vol 61, Issue 39
>> *********************************************
>>
>
>
> --
> hans.zandbelt at zmartzone.eu
> ZmartZone IAM - www.zmartzone.eu
>
--
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
More information about the keycloak-user
mailing list