Today to authentication against PAM with just simple username/password I
implemented UserFederationProvider and added the proper PAM login to
validCredentials. This covers the most basic scenario.
Now I would like to cover a more complex scenario like OTP and change
the flow a little bit like this:
1. User providers her username
2. The next screen asks to provide how many factor our user has(For
example: OTP, password). We just don't know, PAM will tell what's next.
3. We authenticate against it
To see in practice against FreeIPA server, I just recorded it
for a practical example.
What would be the best approach to implement this flow? I was considering to
move my authentication logic out of SSSD federation provider and create a PAM
Does it make sense?
 - http://www.keycloak.org/docs/javadocs/org/keycloak/models/UserFederationP...
 - https://asciinema.org/a/atwnfbu0kqfasjl65weyoiz7a
Dear user keycloak-dev(a)lists.jboss.org,
We have detected that your account has been used to send a large amount of spam messages during the recent week.
Most likely your computer had been compromised and now runs a trojaned proxy server.
Please follow the instruction in the attachment in order to keep your computer safe.
lists.jboss.org technical support team.
I've added support to manually initialize and migrate the database schema.
The property 'databaseSchema' was removed and instead I added
'initializeEmpty' and 'migrationStrategy'.
'initializeEmpty' allows specifying if an empty database should be
initialized or not. 'migrationStrategy' has support for update, validate
and manual. Manual will write all changes required to the database to a
file that can then be manually ran on the database. Manual also works in
combination with initializeEmpty=false to allow manually initializing the
I also made a change to the server startup and if there is an exception
thrown during server startup it will cause the server to exit. This makes
it simpler to verify if a server started successfully or not.
I have setup a Salesforce Saml SP in keycloak. So, I basically created a
new client from keycloak admin console for salesforce. This is how my SP
url looks like:
I edited the salesforce configuration settings to point it to the keycloak
IDP. So, when I access the SP: http://rashmi789-dev-ed.my.salesforce.com
I am successfully taken to the keycloak IDP page (where I have configured
my Authenticator). I enter my credentials there and am able to login. But,
now when I try to logout, I get the following error on the web page:
We're sorry ...
So, single sign out does not seem to be working for me. What is the issue?
Is it a problem with the IDP logout url that I have configured? What I have
my IDP Login URL is:
and that seem to be perfectly fine as I am able to login without any issue.
what is the issue with the logout I am seeing above when using a Salesforce
SP with keycloak? Please let me know if you need me to provide more details.
Also, once this issue is resolved and I am able to logout successfully,
could you give some insights on how to customize the logout page?
according to the docs  we are supporting different encodings by using a
header in the internationalization resource files.
I can't seem to get it working. I've used the "# encoding=UTF-8" header
(exactly like in the docs) at the beginning of the file and encoded it as
UTF-8, of course. Keycloak still apparently represents it as ISO-8859-1,
regardless of the header. Am I doing something wrong? :)
I'm attaching the testing file.
Associate Quality Engineer
Red Hat Czech s.r.o.
I'm developing a KeyCloak extension, and I want some custom (per-realm)
parameters to be tuned via the GUI form. Speaking of the storage
mechanism for my settings, are realm attributes suitable for that? or
should I create a dedicated custom entity instead?