October 2016 - keycloak-user - Jboss List Archives

Re: [keycloak-user] SAML in a keycloak cluster

by GKAZGKAS Dimitrios (TAN/MST)

The response from the list on my initial mails was : After content filtering, the message was empty So I try to send the same mail without CC and without attached =========== Hello, We are trying to configure a SAML authentication system in a keycloak cluster. First, with only one node , we are currently managing to authenticate in SAML way. The architecture : --> we have one apache reverse proxy with a public and unique endpoint for saml authentication. We can call the pubic url : security.lu<http://security.lu> --> the reverse proxy will load-balance all calls that come on security.lu<http://security.lu> to two keycloak nodes : security1.lu<http://security1.lu> and security2.lu<http://security2.lu> ( the private urls) . The issue that we have : --> The client that integrates saml has a tomcat and integrates a keycloak-saml.xml file. Of course, in this file the configuration is refering to security1.lu<http://security1.lu> ( the private address as the keycloak node only knows its private address). --> If we arrive during the load-balancing on the security1.lu<http://security1.lu> node, it will work. If I arrive on the second security2.lu<http://security2.lu> node, it will fail. When I dig a little bit more, it's because in fact, the SAMLRequest that is generated looks like this : <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://security1.lu<http://security1.lu>:8080/realms/xxx/protocol/saml" ForceAuthn="false" ID="ID_e563f50b-4ed8-454c-b938-0727d18ec08e" IsPassive="false" IssueInstant="2016-10-11T12:52:09.865Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">xxxxx</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"></samlp:NameIDPolicy></samlp:AuthnRequest> The error that I get is an invalid_destination because we receive this SAMLRequest on the security2.lu<http://security2.lu> node : 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination >From what I see there is for saml client, a Clustering tab where I have currently nothing. Maybe I need to add some host nodes here ? But i don't know how to proceed. Or is there any way to define both security1.lu<http://security1.lu> and security2.lu on the Saml XML configuration that the client integrates? We have set proxy-address-forwarding=true Thank you for your help. Kr, Br Dimitrios Gkazgkas IT Solutions Architect ________________________________ **** DISCLAIMER **** http://www.tango.lu/maildisclaimer

8 years, 1 month

2
13
0 / 0

(no subject)

by Rickard Östergård

Hi, I have a question about user session expiration. When the SSO Session Idle or SSO Session Max times are reached the auth server will invalidate the user session. Will the clients that have initiated these session be notified? Hence, are the clients logged out (via the admin url) when the auth server expires a user session? If not, is this a feature that will be implemented in coming releases ? Best regards, Rickard

8 years, 1 month

4
3
0 / 0

Policy Enforcement Mode cannot be changed.

by Joey

Hi Guys, I read from documents, and my understanding is if set Policy Enforcement Mode to disable, then any users can access all resources. but I tried to set it to disable. but nothing be changed. For example, I have a role call Role_A , and set a user Tom as this Role_A, if I set a resource access policy without Role_A. this user Tom cannot access this resource. And I can see some log in tomcat. Oct 26, 2016 7:37:33 PM org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG: Policy enforcement is enable. Enforcing policy decisions for path [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatistics/portal...]. Oct 26, 2016 7:37:33 PM org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG: Policy enforcement result for path [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatistics/portal...] is : GRANTED Oct 26, 2016 7:37:33 PM org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG: Returning authorization context with permissions: Joey

8 years, 1 month

2
3
0 / 0

Get error when I set https to keycloak and tomcat server.

by Joey

Hi Guys, I am trying to set SSL for both of keycloak and tomcat server. I apply a free cer from http://www.cacert.org. I installed cer to my keycloak server follow document 7.3 and 7.4 https://keycloak.gitbooks.io/server-installation-and-configuration/conten... and installed cer to my tomcat server follow https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html I started keycloak server from https, it works fine. But I started tomcat with my application (It works fine with http, I changed everything from http to https in all configuation files) but I saw this error message in tomcat server log. Anyone can help me out of this problem, thank you. ERROR MESSAGE 2016-10-13 11:59:03.382 [localhost-startStop-1] DEBUG org.springframework.web.servlet.DispatcherServlet - Servlet 'spring' configured successfully Oct 13, 2016 11:59:03 AM org.apache.catalina.core.ContainerBase addChildInternal SEVERE: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ec-operation]] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:162) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092) at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.RuntimeException: Could not obtain configuration from server [https://sso.iishang-test.com:8443/auth/realms/iishang-b2c-sso-test/.well-...]. at org.keycloak.authorization.client.AuthzClient.<init>(AuthzClient.java:82) at org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:56) at org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:59) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:118) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:127) at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:133) at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:75) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:388) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155) ... 10 more Caused by: java.lang.NullPointerException at java.lang.String.<init>(String.java:566) at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:103) at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) at org.keycloak.authorization.client.AuthzClient.<init>(AuthzClient.java:80) ... 20 more Oct 13, 2016 11:59:03 AM org.apache.catalina.startup.HostConfig deployWAR SEVERE: Error deploying web application archive /root/ssotesting/apache-tomcat-7.0.72/webapps/ec-operation.war java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ec-operation]] at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:903) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092) at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

8 years, 1 month

2
5
0 / 0

Keycloak Import not importing admin-events

by Gta Fox

Hello My use case is the following: Export data Destroy keycloak db, recreat without any data Import data And my problem is here admin events does not appear, in ...#/realms/master/admin-events page. Thanks

8 years, 1 month

2
1
0 / 0

Keep alive sessions for multiply applications

by Michael Furman

Hi all, How Keycloak keeps alive sessions for multiply applications? For example, I login to the first application then perform SSO case for the second application. After it I work only on the first application for a long time (more than the second application session timeout). What happens when I move back to the second application? Will Keycloak keep alive the session for the second application? Thank you in advance for your help. Best regards, Michael

8 years, 1 month

2
1
0 / 0

Re: [keycloak-user] It's possible to check if an user have an active/valid session through REST API?

by Bruno Oliveira

Hi Max, I'm adding the ML back. Unless I'm mistaken, I don't think this is supported today. On 2016-10-25, max.catarino(a)rps.com.br wrote: > > > Hello Bruno, > > Thank you for your repply. > The http://www.keycloak.org/docs/rest-api/#_get_user_sessions_for_client > [2] endpoint returns an UserSessionRepresentation. As I said, there is > no information about the session is active or not. > The http://www.keycloak.org/docs/rest-api/#_get_client_session_stats [3] > endpont returns a session count only. > > I looking for a endpoint that returns the status of the user session, > active/valid (after login), inactive/invalid (after logout, expired). > > Best regards. > > Maximiliano > > Em 24.10.2016 17:01, Bruno Oliveira escreveu: > > > Hi Max, I'm not sure which information you want, but you can try to look > > at these endpoints: > > > > * http://www.keycloak.org/docs/rest-api/#_get_user_sessions_for_client [2] > > * http://www.keycloak.org/docs/rest-api/#_get_client_session_stats [3] > > > > On 2016-10-24, max.catarino(a)rps.com.br wrote: > > > >> It's possible to check if an user have an active/valid session through > >> REST API? > >> > >> I saw the UserSessionRepresentation returned by > >> Keycloak.realm("realmId").users().get("userId").getUserSessions(). But > >> UserSessionRepresentation do not have the information I want. > >> > >> Best regards > >> > >> Maximiliano > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user(a)lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user [1] > > > > -- > > > > abstractj > > PGP: 0x84DC9914 > > > > Links: > ------ > [1] https://lists.jboss.org/mailman/listinfo/keycloak-user > [2] http://www.keycloak.org/docs/rest-api/#_get_user_sessions_for_client > [3] http://www.keycloak.org/docs/rest-api/#_get_client_session_stats -- abstractj PGP: 0x84DC9914

8 years, 1 month

2
1
0 / 0

Having a policy enforcer and an unsecured endpoint at the same time ?

by Sebastien Blanc

Hi, I'm trying to help a community member that is having issues to provide a rest endpoint that do not need authentication but other endpoints are protected and make use of a policy enforcer. Looks like it is not possible to have both , is that correct ? The authz seems to intercept all the request (as mentioned in the documentation) and even by setting the enforcement to "permissive" it fails for this unprotected endpoint. For reference : https://issues.jboss.org/browse/KEYCLOAK-3799 (There are other issues in this ticket like configuring authz for SpringBoot but this is another problem to have to be solved separately) Sebi

8 years, 1 month

1
0
0 / 0

Different login pages for different clients

by Michael Furman

Hi all, Is it possible to support Different login pages for different OIDC clients? Or at least to understand what OIDC and behave differently for each client? Thank you in advance for your help. Best regards, Michael

8 years, 1 month

2
3
0 / 0

Keycloak 2.3.0.Final Released

by Stian Thorgersen

Keycloak 2.3.0.Final has just been released. For the list of resolved issues check out JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> and to download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. Before you upgrade refer to the migration guide <https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/Mi...>

8 years, 1 month

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user October 2016