saml client adapter changes incoming in 1.9
by Bill Burke
FYI, heads up:
A major change to our Keycloak saml client adapter is coming (PR
buildling right now). Basically you'll need to register a specific
endpoint with your IDPs. Before it was really any secure URL. You must
now register /saml.
i.e.
https://example.com/<context-root>/saml
The reason for this is that SAML POST binding would eat the HttpRequest
input stream for any secured URL. This can be bad if you are uploading
to a secure URL :)
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 2 months
Pentaho with Keycloak (SSO)
by Shankar_Bhaskaran
Hi ,
I am trying to set up keycloak with pentaho 6 which uses spring 2.5 security. The application server on which pentaho war runs is Tomcat 8. For that I will need the spring adapter with the dependencies . Could you direct me the download link for the same . Pentaho now supports CAS. Do we have any documentation for implementing keycloak with pentaho 6. I have attached the spring security xml of pentaho and also the cas xml for SSO .
On checking with Pentaho on integration with keycloak they replied as given below
"If Keycloak can authenticate a visitor via a webservice, you can write the Spring Security based Pentaho extensions to authenticate using Keycloak. Again, we don't directly support Keycloak, but I can give you information about how to switch to a web services based authentication and authorization system. "
Regards,
Shankar
8 years, 2 months
Missing client roles to view and manage groups?
by Edgar Vonk - Info.nl
Hi,
It seems there are no client roles to view and manage groups in Keycloak? I expected to see view-groups and manage-groups roles just like view-users and view-groups.
Our case is that we want to have ‘functional admin’ users that are allowed to manage users and groups within their realm (and nothing else).
I have now created such a functional admin user with the following client roles in this particular realm:
- view-events
- manage-users
- view-users
- impersonation
When I log in as this functional admin user I can manage users fine, however I cannot manage groups. I do see the ‘Manage Groups’ menu item in the admin console but when I click on it I get a “Forbidden. You don't have access to the requested resource.” and in the logs we see:
4:59:19,950 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002005: Failed executing GET /admin/realms/graydon-customers/groups: org.keycloak.services.ForbiddenException
at org.keycloak.services.resources.admin.RealmAuth.requireView(RealmAuth.java:53)
at org.keycloak.services.resources.admin.GroupsResource.getGroups(GroupsResource.java:72)
at sun.reflect.GeneratedMethodAccessor664.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
Is the absence of roles for viewing and managing groups a shortcoming in Keycloak? If so, shall I create a JIRA ticket for it?
cheers
Edgar
8 years, 2 months
logging configuration for Spring-Boot
by Carl Mosca
I have read a couple of posts on (JBoss) logging configuration for Spring
Boot but so far nothing is giving me DEBUG level output.
I am trying to track down a keycloak Spring Boot issue.
Does anyone have an example they can point me to?
TIA,
Carl
8 years, 2 months
Application Clustering problems
by Christian Beikov
Hello,
I am running some tests with my application cluster being secured by a
single keycloak server instance and I encountered problems with the adapter.
My application cluster contains 2 nodes and is load balanced by nginx.
For testing purposes, I enabled round robin load balancing which is
probably the "cause" for my issues.
When I access a secured page, I get redirected to keycloak and
everything is fine. When I then login, and keycloak redirects me back to
the application, I get to a different application cluster node because
of round robin. On that node, apparently the initial information of the
client session is not available and I get redirected to keycloak login
page again. Then keycloak redirects me back to the application, this
time to the original node, and says that access is forbidden.
I suppose the web session caches are not in sync but I just used the
default cache containers as they are defined in standalone-ha.xml of my
Wildlfy 10 CR4. Clustering with jgroups works, as I use other
distributed caches too which work just fine.
We are using Keycloak 1.8.0.CR2 on a Wildfly 10 CR4
Regards,
Christian
8 years, 2 months
Re: [keycloak-dev] keycloak-dev Digest, Vol 31, Issue 100
by Alex Gouvêa Vasconcelos
2016-01-26 17:45 GMT-02:00 <keycloak-dev-request(a)lists.jboss.org>:
> Do you can an exception stacktrace on app or auth server?
There is nothing in any log... neither Wildfly 10 (where my app is
deployed) or Keycloak Server (actually is a cluster with two instances... I
look into the two server.log files). The only line is written in Wildfly
10:
16:10:23,145 WARN [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-66) No state cookie
Best Regards.
Alex Gouvea Vasconcelos
8 years, 2 months