Fwd: any reference document on Keycloak SAML SP configuration
by Arulkumar Ponnusamy
I want to implement the SAML Service provider(SP) for my application. I
used picketlink earlier (servlet filter) to configure my application as
SAML SP. However, when I tried the same with Keycloak, it is not working as
expected. There is no proper documentation/example on how keycloak saml SP
configuration has to be done.
I did the following things.
1. Copied all the jar(keycloak-saml-eap6-adapter-dist) into my jboss/lib
directory
2. Configured the security domain as below
<login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"
flag="required"/>
3. I built the keycloak saml example "redirect-with-signature" and deployed.
4. I am using the picketlink as my IDP.
5. The redirect does not redirecting to my picketlink IDP.
Can some one tell how to configure keycloak SAML SP.?
9 years
Mobile SSO - web brower+ native iOS
by Joseph.George@finantix.com
Dear All
we have a situation where users have applications both html5 based web and
also native iOS apps accessing from iPads
The requirement is that users access the web based application within a
iPad, which will be redirected to Keyclock IDP server for login.
Once user logins, next time, if the same user just tap on the native app
within the same device, it should not again prompt for userid/password,
rather SSO takes care of it
We need to design so that users can toggle back and forth among mobile
browser apps and mobile apps.
This is ideal for agents, sales reps, who to need to switch quickly among
programs while on the go.,
Would like to know - is this something KeyCloak with SAML 2.0 supports out
of the box please?
Thanks and Regards
Joseph
9 years
Sign In button URL
by Adrian Matei
hi guys,
can still help a poor guy Friday in the afternoon?
What is the url I need to have the sign in button pointing to, in my Spring
web app, that will ask me to login via keycloak and redirect me back
exactly to the page I made the request from?
Thanks,
Adrian
9 years
Can not logout from demo broker
by Mai Zi
Hi, there, I follow the instruction to import broker 's two realms and successfully login in . When logout, it failed.
Any help will be appreciated
Maizi
9 years
Downloads are gone
by Frank van Veen
Hi,
It seems like the website has issues. I wanted to download an older version of keycloak, but all downloads are gone.
Sincerely,
Frank van Veen
9 years
Fwd: Limiting the admin REST API
by Bystrik Horvath
forgot to reply to all ;-)
---------- Forwarded message ----------
From: Bystrik Horvath <bystrik.horvath(a)gmail.com>
Date: Fri, Nov 27, 2015 at 12:18 PM
Subject: Re: [keycloak-user] Limiting the admin REST API
To: stian(a)redhat.com
Hi Stian,
thank you for the answer. Custom endpoint would be nicer option for me as I
would like to , e.g.: let the calling application use own set of of user
attributes (e.g.: name of the university) and remap them onto custom
attributes of user representation. Is there any way how to add own endpoint
to keycloak (when the SPI is not ready for that option)?
Best regards,
Bystrik
On Fri, Nov 27, 2015 at 12:05 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> Another option is that you use scope to prevent this. I imagine you will
> want to have a separate set of roles for your calling app in either case.
> In which case you make sure that you limit the scope of the clients.
>
> On 27 November 2015 at 12:04, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> Pressed send to early. We are planning to add an SPI to allow deploying
>> your own rest endpoints. Once we have that we can also add an option to
>> disable admin endpoints. Although the Keycloak admin console wouldn't work
>> anymore.
>>
>> On 27 November 2015 at 12:03, Stian Thorgersen <sthorger(a)redhat.com>
>> wrote:
>>
>>> In that case I'd say you should rather not deploy the admin endpoints at
>>> all and instead add your own custom endpoints.
>>>
>>> On 27 November 2015 at 11:08, Bystrik Horvath <bystrik.horvath(a)gmail.com
>>> > wrote:
>>>
>>>> Hello everyone,
>>>>
>>>> I would like to limit the functionality of the admin REST API to the
>>>> calling user/application.
>>>> The motivation is not to expose the "internals" of keycloak and put
>>>> some logic between the calling app and admin REST API.
>>>> My idea was to create a simple web application deployed at keycloak
>>>> server that belongs to the same realm as calling application and realm
>>>> management application.
>>>> Would you recommend that approach? Or is there anything more suitable
>>>> (e.g.: implement it as a keycloak valve... etc.)?
>>>>
>>>> Thank you for your opinions.
>>>>
>>>> Best regards,
>>>> Bystrik
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
9 years
Limiting the admin REST API
by Bystrik Horvath
Hello everyone,
I would like to limit the functionality of the admin REST API to the
calling user/application.
The motivation is not to expose the "internals" of keycloak and put some
logic between the calling app and admin REST API.
My idea was to create a simple web application deployed at keycloak server
that belongs to the same realm as calling application and realm management
application.
Would you recommend that approach? Or is there anything more suitable
(e.g.: implement it as a keycloak valve... etc.)?
Thank you for your opinions.
Best regards,
Bystrik
9 years
Required roles for clearing login failure counts
by Gregor Tudan
Hi everyone,
while I totally agree that any configuration of the bruteforce-detection should require the realm-management role, I’d like to raise the question if clearing failed attempts should be that restrictive.
This affects the following service endpoints:
DELETE /admin/realms/{realm}/attack-detection/brute-force/usernames/{username}
DELETE /admin/realms/{realm}/attack-detection/brute-force/usernames
We would like to enable callcenter agents to unlock specific users, but giving them realm-management permissions doesn't feel right. Would’t user-management be more appropriate permissions for these endpoints, or are there side effects to consider?
Thanks,
Gregor
9 years
Email is unique within one realm
by Sebastian Olscher
Hello,
the email address is unique within one realm. Is there a possibility to fulfill the requirement to have different user (different usernames) for different applications within one realm which were managed and used by the same person/entity?
For example:
Username: I_Am_An_Admin
Email: user(a)traveltainment.de<mailto:user@traveltainment.de>
(gets roles for every client within the realm)
Username: I_Am_A_Normal_User
Email: user(a)traveltainment.de<mailto:user@traveltainment.de>
(get roles from only one client within the realm)
Is this unambiguity of the email address configurable?
Thanks,
Sebastian
9 years
Implementation of Keycloak (SAML) with Google Apps
by Thomas Schweizer-Bolzonello
Hello,
Does someone have documentation on how to implement Keycloak with Google Apps ?
I tried to implement a SAML client in a Keycloak realm but I'm lost
with settings when creating one.
Tried to use the official documentation and to search on the web but
to no avail.
If someone could point me to what settings to use in the SAML client I
created, it would be great.
I already took the key generated for the realm and uploaded it to Google Apps.
Best regards,
Thomas
9 years
