Improving SSO logout performance
by Marek Posolda
Few things, which we can possibly do:
- Currently when application initiates logout through
servletRequest.logout , it sends request to Keycloak logout endpoint.
This endpoint then sends backchannel request to all logged clients with
registered admin URL. I think we can improve here and not send request
to the original application, which initiated logout.
For example: When product-portal application initiates logout through
servletRequest.logout, the adapter itself should be already able to do
all logout actions on it's side (invalidate httpSession etc) and there
is no need to send another request from keycloak to product-portal to
logout same httpSession.
- Backchannel logout requests send by Keycloak (ResourceAdminManager)
could be send in parallel. Currently they are send sequentially, which
is not very optimal.
WDYT?
Marek
8 years, 10 months
mod_auth_mellon
by Michal Hajas
Hi,
I'm trying to run apache + mod_auth_mellon with keycloak as indentity provider.
Steps:
1. Install apache and mod_auth_mellon module
2. Generate .key, .cert, .xml files with mellon_create_metadata.sh and copy them to /mellon directory
3. Download idp_metadata.xml from keycloak/auth/realm/{REALM}/protocol/saml/descriptor and copy it to /mellon directory
4. Configure auth_mod_mellon with enclosed file auth_mellon.conf
5. Create client in keycloak from xml file generated in step 2 (There must be enabled Sign Documents, Sign Assertions signing and Force POST Binding)
Login works, when I access /auth, mellon redirect me to keycloak and after successful login it redirect me back to protected resource.
Problem:
I'm not able to logout. When I access localhost/mellon/logout?ReturnTo=/, it doesn't destroy session in keycloak and in apache's error log there is:
Current identity provider does not support single logout. Destroying local session only.
Only way I was able to log out is change
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/auth/realms/mellon-test/protocol/saml"/>
to
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/auth/realms/mellon-test/protocol/saml"/>
POST -> Redirect
in idp_metadata.xml and set "Logout Service Redirect Binding URL" to http://localhost/mellon/logout in admin console.
Is it correct or it should work with POST binding too?
Thank you,
Michal.
8 years, 10 months
avoiding extra sql
by Bill Burke
FYI:
In some places like getClientById, we check the passed in
RealmModel.getId() against ClientEntity.getRealm().getId() to make sure
its the same realm. This causes an extra SELECT query on the realm. To
avoid this, you can set the access to the primary key to property and
the id will be obtained only without a sql query.
public class RealmEntity {
@Id
@Column(name="ID", length = 36)
@Access(AccessType.PROPERTY)
protected String id;
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 10 months
Define realm in login
by Damien Snoeck
In an angularJS webapp, I have integrated the keycloak adapter. When users
want to access the webapp they are redirected to the keycloak login screen
for a defined realm. But this webapp will be use by several realm.
What would be the best way to let users provide its realm during login
process ?
- Damien
8 years, 10 months
Script based Authenticators
by Thomas Darimont
Hello group,
I built a little prototype [0] for script based authenticators inspired by
a discussion on the keycloak-users mailing list -
think it was about post broker authentication checks, e.g. if the user has
an email address that belongs to the google apps domain...
I introduced a ScriptBasedAuthenticator that is bootstraped via a
ScriptBasedAuthenticatorFactory can be execute a configured script
via a JSR-223 ScriptEngine against a provided execution context.
I also added a new "script" value type for proper rendering in the UI as
well as an alias property
to the AuthFlowExecutionRepresentation in order to be able to differentiate
multiple instances of an Authenticator
within the same AuthFlow - this comes pretty close to having Auth0 like
scriptable rules in Keycloak.
For convenient editing I added the AngularJS bindings for the popular ACE
editor.
Looking forward to your thoughts :)
Cheers,
Thomas
[0]
https://github.com/thomasdarimont/keycloak/commit/3f39479e7fa0c75941cd524...
[1] https://auth0.com/docs/rules
8 years, 10 months
Does keycloak SAML sp support encryption?
by Arulkumar Ponnusamy
I have enabled encryption on keycloak-saml file.. However i dont see any
encryption happened on SAML request.. Similarly. When idp sends encrypted
response, keycloak sp couldn't handle and throwing null pointer exception..
Is it a defect?.. M using HTTP POST binding..
8 years, 10 months
