SAML Metadata export
by Ben Bazian
How can I export the metadata for a SAML client in XML format? I do not see the installation tab on SAML, only OpenID.
10 years
Refresh token error
by Michael Gerber
Hi
A tester in our team had the following error:
2015-12-09 15:46:39,702 WARN [org.keycloak.events] (default task-94) type=REFRESH_TOKEN_ERROR, realmId=6b201710-e4df-4c80-9b03-852d97c63eb7, clientId=web, userId=1, ipAddress=172.25.104.2, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=153e0143-b0f1-4714-821a-9bb50fce301f, client_auth_method=client-secret
2015-12-09 15:46:39,702 ERROR [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-92) Refresh token failure status: 400 {"error_description":"Session not active","error":"invalid_grant"}
I can't reproduce it, do you have any idea what the cause could be?
Micheel
10 years
Guidelines for deployment of keycloak based applications for different environments
by Anunay Sinha
Hi
I need help to figure out how to manage my kecloak.json files in between
different environments. Since I have a keycloak server deployed on my dev,
qa and preprod, and am using jenkins for CI.
Now what i don't know is how this keycloak.json gets loaded.
If I knew that, I can have something like keycloak_dev.json,
keycloak_qa.json and kecloak_preprod.json, picking up the correct config
file as per my environment.
Is my understanding and approach is correct. If so can you help me how I
can get these respect jsons loaded.
--
- Anunay
10 years
Secured application configuration question
by Paul Blair
I'm setting up apiman with Keycloak and have a question that the folks on the apiman user list suggested I ask here.
In the Wildfly configuration for apiman, I see several entries like this (one for each war file):
<kc:secure-deployment xmlns:kc="urn:jboss:domain:keycloak:1.0" name="apiman.war">
<kc:realm>apiman</kc:realm>
<kc:resource>apiman</kc:resource>
<kc:credential name="secret">password</kc:credential>
I'm noticing that they fill in the word "password" here, but in their instructions they don't specify to replace it with a particular password. My guess is that this credential is used only for applications that request REST Direct Access Grants, and that since apiman doesn't do that, they can use a dummy password in this configuration.
Is it correct that this credential is used only for Direct Access Grants?
10 years
realm admin user group for Keycloak 1.7.0 CR1
by Ken Kong
Hi,
Does the user group work with the Client Roles realm-management? I
created a realm admin user group that has role mapped to realm-admin in
realm-management Client Roles. Then I assigned a user to the group. When
the user logged in the realm, the user doesn't have access to the
requested resource.
Steps (screenshots attached):
1. Create a realm admin user group, go to Role Mapping tab, choose
realm-management from Client Roles drop down list and assign realm-admin
2. Create a user and assign it to the user group
3. User log in to the realm but can't access the realm admin
Ken Kong
Senior Java Developer
Invenco Group Limited
O: +64 9 905 5661
Ken.Kong(a)invenco.com <mailto:Ken.Kong@invenco.com>
www.invenco.com <http://www.invenco.com>
Disclaimer: This email is confidential and may be legally privileged.
If you are not the intended recipient you must not use any of the
information in it and must delete the email immediately.
10 years
KeyCloak users
by Lars Noldan
Hello All,
We are currently using another authz/authn solution in front of our
applications that I don't think is as flexible or as scalable as keycloak.
On technical merit alone I can likely make a case to shift our SSO solution
over, however I was asked "What companies are using keycloak in the wild."
which is a fair question considering the solution we are currently using is
supported by a very large vendor.
I would like to ask if any of you, the users would be willing to drop me a
note saying "We Use Keycloak at $Company."
I don't need to know which applications, urls, or anything specific about
your usage.
Please feel free to e-mail me direct if you aren't comfortable responding
to the whole list.
Thank you for your time.
--
Lars Noldan
lars.noldan(a)drillinginfo.com
Application Support Manager
Drillinginfo, inc.
10 years
Salesforce SSO
by Ben Bazian
Sorry for the double post but figured I would try one more time. Has anyone successfully setup Keycloak as an IDP into Salesforce? I have it working with OpenID but the way Salesforce implements it is not acceptable. Would like to use SAML instead. I am seeing nothing via a web search on this.
Any and all help appreciated.
__________________________
BEN BAZIAN
Director, Information Systems
MBO Partners
[cid:image001.png@01D057F2.BE72C880]
t: 703.793.6010
f: 703.793.6079
e: bbazian(a)mbopartners.com
w: mbopartners.com
Notice: This email and any files transmitted with it are confidential. They are intended solely for the use of the individual addressed. If you have received this email in error please notify postmaster(a)mbopartners.com<mailto:postmaster@mbopartners.com> and permanently delete the e-mail and files.
10 years
info about brute force detection
by Giovanni Baruzzi
The question of Mara was perfectly legitimated and the answers are not
really acceptable.
I have the opinion that the number of failures needs to be persisted and the
designer should not make assumption about the times and periods for server
restarts
Secondly, where should be such a brute detection implemented if not in
Keycloak?
In effect is is implemented, but the implementation can be made better.
FYI information we implemented it using the functionalities of the LDAP
server.
Regards,
Giovanni
>>In addition, is pretty much possible to configure fail2ban to read the
>>log files and store it into the database for example
>>(http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).
>>
>>I can be wrong, but I don't think Keycloak should have something like this.
>>
On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com
<https://lists.jboss.org/mailman/listinfo/keycloak-user> > wrote:
> On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
>
> Dear all,
>
> I have enabled brute force detection on my keycloak application server.
>
> I used keycloak 1.5.0 Final version.
>
> After several trials I saw that the number of failures of the users are
> saved in session, so if the server will be restarted the counter starts from
> 0 again.
>
> Why you don¹t save it into db?
>
> I didn't design this, but I think it's because brute force detection is
> designed to thwart guessing of credentials over a relatively short time
> period. In production you don't restart the server very often.
>
>
>
> Mara
>
>
>
> _______
10 years
