FYI, heads up:
A major change to our Keycloak saml client adapter is coming (PR
buildling right now). Basically you'll need to register a specific
endpoint with your IDPs. Before it was really any secure URL. You must
now register /saml.
The reason for this is that SAML POST binding would eat the HttpRequest
input stream for any secured URL. This can be bad if you are uploading
to a secure URL :)
JBoss, a division of Red Hat
I am trying to set up keycloak with pentaho 6 which uses spring 2.5 security. The application server on which pentaho war runs is Tomcat 8. For that I will need the spring adapter with the dependencies . Could you direct me the download link for the same . Pentaho now supports CAS. Do we have any documentation for implementing keycloak with pentaho 6. I have attached the spring security xml of pentaho and also the cas xml for SSO .
On checking with Pentaho on integration with keycloak they replied as given below
"If Keycloak can authenticate a visitor via a webservice, you can write the Spring Security based Pentaho extensions to authenticate using Keycloak. Again, we don't directly support Keycloak, but I can give you information about how to switch to a web services based authentication and authorization system. "
It seems there are no client roles to view and manage groups in Keycloak? I expected to see view-groups and manage-groups roles just like view-users and view-groups.
Our case is that we want to have ‘functional admin’ users that are allowed to manage users and groups within their realm (and nothing else).
I have now created such a functional admin user with the following client roles in this particular realm:
When I log in as this functional admin user I can manage users fine, however I cannot manage groups. I do see the ‘Manage Groups’ menu item in the admin console but when I click on it I get a “Forbidden. You don't have access to the requested resource.” and in the logs we see:
4:59:19,950 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002005: Failed executing GET /admin/realms/graydon-customers/groups: org.keycloak.services.ForbiddenException
at sun.reflect.GeneratedMethodAccessor664.invoke(Unknown Source)
Is the absence of roles for viewing and managing groups a shortcoming in Keycloak? If so, shall I create a JIRA ticket for it?
I have read a couple of posts on (JBoss) logging configuration for Spring
Boot but so far nothing is giving me DEBUG level output.
I am trying to track down a keycloak Spring Boot issue.
Does anyone have an example they can point me to?
I am running some tests with my application cluster being secured by a
single keycloak server instance and I encountered problems with the adapter.
My application cluster contains 2 nodes and is load balanced by nginx.
For testing purposes, I enabled round robin load balancing which is
probably the "cause" for my issues.
When I access a secured page, I get redirected to keycloak and
everything is fine. When I then login, and keycloak redirects me back to
the application, I get to a different application cluster node because
of round robin. On that node, apparently the initial information of the
client session is not available and I get redirected to keycloak login
page again. Then keycloak redirects me back to the application, this
time to the original node, and says that access is forbidden.
I suppose the web session caches are not in sync but I just used the
default cache containers as they are defined in standalone-ha.xml of my
Wildlfy 10 CR4. Clustering with jgroups works, as I use other
distributed caches too which work just fine.
We are using Keycloak 1.8.0.CR2 on a Wildfly 10 CR4
2016-01-26 17:45 GMT-02:00 <keycloak-dev-request(a)lists.jboss.org>:
> Do you can an exception stacktrace on app or auth server?
There is nothing in any log... neither Wildfly 10 (where my app is
deployed) or Keycloak Server (actually is a cluster with two instances... I
look into the two server.log files). The only line is written in Wildfly
16:10:23,145 WARN [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-66) No state cookie
Alex Gouvea Vasconcelos