Re: [keycloak-user] SAML in a keycloak cluster
by GKAZGKAS Dimitrios (TAN/MST)
The response from the list on my initial mails was : After content filtering, the message was empty
So I try to send the same mail without CC and without attached
===========
Hello,
We are trying to configure a SAML authentication system in a keycloak cluster. First, with only one node , we are currently managing to authenticate in SAML way.
The architecture :
--> we have one apache reverse proxy with a public and unique endpoint for saml authentication. We can call the pubic url : security.lu<http://security.lu>
--> the reverse proxy will load-balance all calls that come on security.lu<http://security.lu> to two keycloak nodes : security1.lu<http://security1.lu> and security2.lu<http://security2.lu> ( the private urls) .
The issue that we have :
--> The client that integrates saml has a tomcat and integrates a keycloak-saml.xml file. Of course, in this file the configuration is refering to security1.lu<http://security1.lu> ( the private address as the keycloak node only knows its private address).
--> If we arrive during the load-balancing on the security1.lu<http://security1.lu> node, it will work. If I arrive on the second security2.lu<http://security2.lu> node, it will fail. When I dig a little bit more, it's because in fact, the SAMLRequest that is generated looks like this :
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://security1.lu<http://security1.lu>:8080/realms/xxx/protocol/saml" ForceAuthn="false" ID="ID_e563f50b-4ed8-454c-b938-0727d18ec08e" IsPassive="false" IssueInstant="2016-10-11T12:52:09.865Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">xxxxx</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"></samlp:NameIDPolicy></samlp:AuthnRequest>
The error that I get is an invalid_destination because we receive this SAMLRequest on the security2.lu<http://security2.lu> node :
2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination
>From what I see there is for saml client, a Clustering tab where I have currently nothing. Maybe I need to add some host nodes here ? But i don't know how to proceed.
Or is there any way to define both security1.lu<http://security1.lu> and security2.lu on the Saml XML configuration that the client integrates?
We have set proxy-address-forwarding=true
Thank you for your help.
Kr,
Br
Dimitrios Gkazgkas
IT Solutions Architect
________________________________
**** DISCLAIMER ****
http://www.tango.lu/maildisclaimer
9 years
(no subject)
by Rickard Östergård
Hi,
I have a question about user session expiration.
When the SSO Session Idle or SSO Session Max times are reached the auth
server will invalidate the user session. Will the clients that have
initiated these session be notified? Hence, are the clients logged out (via
the admin url) when the auth server expires a user session?
If not, is this a feature that will be implemented in coming releases ?
Best regards,
Rickard
9 years
Policy Enforcement Mode cannot be changed.
by Joey
Hi Guys,
I read from documents, and my understanding is if set Policy
Enforcement Mode to disable, then any users can access all resources.
but I tried to set it to disable. but nothing be changed.
For example,
I have a role call Role_A , and set a user Tom as this Role_A, if I
set a resource access policy without Role_A. this user Tom cannot
access this resource. And I can see some log in tomcat.
Oct 26, 2016 7:37:33 PM
org.keycloak.adapters.authorization.PolicyEnforcer enforce
DEBUG: Policy enforcement is enable. Enforcing policy decisions for
path [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatistics/portal...].
Oct 26, 2016 7:37:33 PM
org.keycloak.adapters.authorization.PolicyEnforcer enforce
DEBUG: Policy enforcement result for path
[http://operation.iishang-intr.com:9111/op/jsp/base/loginStatistics/portal...]
is : GRANTED
Oct 26, 2016 7:37:33 PM
org.keycloak.adapters.authorization.PolicyEnforcer enforce
DEBUG: Returning authorization context with permissions:
Joey
9 years
Get error when I set https to keycloak and tomcat server.
by Joey
Hi Guys,
I am trying to set SSL for both of keycloak and tomcat server. I apply
a free cer from http://www.cacert.org. I installed cer to my keycloak
server follow document 7.3 and 7.4
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
and installed cer to my tomcat server follow
https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
I started keycloak server from https, it works fine. But I started
tomcat with my application (It works fine with http, I changed
everything from http to https in all configuation files)
but I saw this error message in tomcat server log.
Anyone can help me out of this problem, thank you.
ERROR MESSAGE
2016-10-13 11:59:03.382 [localhost-startStop-1] DEBUG
org.springframework.web.servlet.DispatcherServlet - Servlet 'spring'
configured successfully
Oct 13, 2016 11:59:03 AM org.apache.catalina.core.ContainerBase addChildInternal
SEVERE: ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ec-operation]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:162)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092)
at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.RuntimeException: Could not obtain configuration
from server [https://sso.iishang-test.com:8443/auth/realms/iishang-b2c-sso-test/.well-...].
at org.keycloak.authorization.client.AuthzClient.<init>(AuthzClient.java:82)
at org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:56)
at org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:59)
at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:118)
at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:127)
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:133)
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:75)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:388)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155)
... 10 more
Caused by: java.lang.NullPointerException
at java.lang.String.<init>(String.java:566)
at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:103)
at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48)
at org.keycloak.authorization.client.AuthzClient.<init>(AuthzClient.java:80)
... 20 more
Oct 13, 2016 11:59:03 AM org.apache.catalina.startup.HostConfig deployWAR
SEVERE: Error deploying web application archive
/root/ssotesting/apache-tomcat-7.0.72/webapps/ec-operation.war
java.lang.IllegalStateException: ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ec-operation]]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:903)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092)
at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
9 years
Keycloak Import not importing admin-events
by Gta Fox
Hello
My use case is the following:
Export data
Destroy keycloak db, recreat without any data
Import data
And my problem is here admin events does not appear, in ...#/realms/master/admin-events page.
Thanks
9 years
Keep alive sessions for multiply applications
by Michael Furman
Hi all,
How Keycloak keeps alive sessions for multiply applications?
For example, I login to the first application then perform SSO case for the second application.
After it I work only on the first application for a long time (more than the second application session timeout).
What happens when I move back to the second application?
Will Keycloak keep alive the session for the second application?
Thank you in advance for your help.
Best regards,
Michael
9 years
Re: [keycloak-user] It's possible to check if an user have an active/valid session through REST API?
by Bruno Oliveira
Hi Max, I'm adding the ML back.
Unless I'm mistaken, I don't think this is supported today.
On 2016-10-25, max.catarino(a)rps.com.br wrote:
>
>
> Hello Bruno,
>
> Thank you for your repply.
> The http://www.keycloak.org/docs/rest-api/#_get_user_sessions_for_client
> [2] endpoint returns an UserSessionRepresentation. As I said, there is
> no information about the session is active or not.
> The http://www.keycloak.org/docs/rest-api/#_get_client_session_stats [3]
> endpont returns a session count only.
>
> I looking for a endpoint that returns the status of the user session,
> active/valid (after login), inactive/invalid (after logout, expired).
>
> Best regards.
>
> Maximiliano
>
> Em 24.10.2016 17:01, Bruno Oliveira escreveu:
>
> > Hi Max, I'm not sure which information you want, but you can try to look
> > at these endpoints:
> >
> > * http://www.keycloak.org/docs/rest-api/#_get_user_sessions_for_client [2]
> > * http://www.keycloak.org/docs/rest-api/#_get_client_session_stats [3]
> >
> > On 2016-10-24, max.catarino(a)rps.com.br wrote:
> >
> >> It's possible to check if an user have an active/valid session through
> >> REST API?
> >>
> >> I saw the UserSessionRepresentation returned by
> >> Keycloak.realm("realmId").users().get("userId").getUserSessions(). But
> >> UserSessionRepresentation do not have the information I want.
> >>
> >> Best regards
> >>
> >> Maximiliano
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user [1]
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
>
>
>
> Links:
> ------
> [1] https://lists.jboss.org/mailman/listinfo/keycloak-user
> [2] http://www.keycloak.org/docs/rest-api/#_get_user_sessions_for_client
> [3] http://www.keycloak.org/docs/rest-api/#_get_client_session_stats
--
abstractj
PGP: 0x84DC9914
9 years
Having a policy enforcer and an unsecured endpoint at the same time ?
by Sebastien Blanc
Hi,
I'm trying to help a community member that is having issues to provide a
rest endpoint that do not need authentication but other endpoints are
protected and make use of a policy enforcer.
Looks like it is not possible to have both , is that correct ? The authz
seems to intercept all the request (as mentioned in the documentation) and
even by setting the enforcement to "permissive" it fails for this
unprotected endpoint.
For reference : https://issues.jboss.org/browse/KEYCLOAK-3799
(There are other issues in this ticket like configuring authz for
SpringBoot but this is another problem to have to be solved separately)
Sebi
9 years
Different login pages for different clients
by Michael Furman
Hi all,
Is it possible to support Different login pages for different OIDC clients?
Or at least to understand what OIDC and behave differently for each client?
Thank you in advance for your help.
Best regards,
Michael
9 years
