Differences between SAML descriptors
by Muein Muzamil
Hi All,
Currently, KeyCloak supports two mechanisms to download SAML metadata.
One is using this public URL
<root>/auth/realms/{realm}/protocol/saml/descriptor.
The Second option is to download it from the installation tab of the client
or using this API /admin/realms/{realm}/clients/
{id}/installation/providers/{providerId}
It seems that there are some differences between them. Especially the first
option returns you metadata with an extra <EntitiesDescriptor> tag. Such as
<EntitiesDescriptor Name="urn:keycloak"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<EntityDescriptor entityID="http://10.164.44.249:1130/auth/realms/7BOM25F24Y
">
.........
</EntityDescriptor>
</EntitiesDescriptor>
When we try to upload this metadata (downloaded from the public URL) to
PingOne, it doesn't like it (metadata from installation tab works fine). Is
there any reason for this?
Regards,
Muein
7 years, 10 months
Using a service account for an app
by Juan Diego
Hi,
Sorry I am a little bit confused on how to use a service account. And if I
am doing this correctly.
I was reading this
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl...
So at the moment I have a java rest api backend that is set as an access
type bearer-only, a front end in angular 1.5 that is a public access type.
And they work ok with keycloak.
So I am creating a third app (it is not web), in java.
I want this app to be able to access my rest services without logging in or
creating public services.
So for what I understand I should create client of type confidential, and
allow services accounts.
So here is the part that I am a kind of lost. I only have one role called
users, that I was using on my backend and front end.
Should I create a new role for my app, and should I add this role on my
backend?
Thanks
7 years, 10 months
Re: [keycloak-user] Two Factor Authentication in Keycloak using text message or email to the user.
by Kevin Berendsen
Hi Reed,
It sure is possible but every text message gateway vendor probably has its own custom API so you need to create your own authenticator unless someone else did it for the same vendor.
It sure is possible and if you get to know the Authentication SPI of Keycloak, its most likely done within two weeks (includes testing and playing around with the code).
We are doing the very same thing in about 2 weeks.
On 8 Feb 2017 7:50 pm, Reed Lewis <RLewis(a)carbonite.com> wrote:
We wish to use two factor Authentication with Keycloak, but not the built in authenticator, but instead a more user friendly of sending a text message to the user which the user will type into a box on the screen to successfully log in. Would that be something that could be done with Keycloak easily?
I would guess there would need to be a plug in to do this, but want to make sure it would be possible first.
Reed
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 10 months
Two Factor Authentication in Keycloak using text message or email to the user.
by Reed Lewis
We wish to use two factor Authentication with Keycloak, but not the built in authenticator, but instead a more user friendly of sending a text message to the user which the user will type into a box on the screen to successfully log in. Would that be something that could be done with Keycloak easily?
I would guess there would need to be a plug in to do this, but want to make sure it would be possible first.
Reed
7 years, 10 months
Client setup recommandation
by David Delbecq
Hello,
we have a javascript web application we are migrating to keycloak. I am not
sue what are the recommandations on setting up configuration for that
client with the following requirement:
Once user triggers the "login" and gets keycloak authenticated, we should
get a bearer token to use later on REST services.
The user should not be requested again to login, unless he logs out. Even
if he closes his browser. So we need a way to keep or replace token on a
regular basis. Is there some keycloak REST service we can poll on a regular
basis for this?
Sometimes the user goes "off grid" (no network communication) for several
hours. How can we ensure we still keep logged in?
My first idea was to just increase the SSO timeout and token validity to 30
days. But it seems like a bad idea from my reading of keycloak
documentation. So i tried to use an offline token instead, but it seems the
implicit flow doesn't allow you to get an offline token. All token i get
after login are marked as expiring within 15 minutes.
What's the recommended way to get long lived refresh token, using implicit
flow?
--
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq(a)trimbletl.com
<http://www.trimbletl.com/>
7 years, 10 months
[Keycloak][Ldap Federation][Custom User LDAP Filter]
by Salvatore Incandela
Hi Guys, I'm configuring keycloak 7.0 with Ldap Federation, I put a custom
query in the *Custom User LDAP Filter* parameter ("(title=enabled)"), but
this seems to be ignored.
Looking on the LDAPIdentityStore.fetchQueryResults method. It seems that
once an EqualsCondition was found this one is considered and the others
ignored.
*if (condition instanceof EqualCondition) {*
.
.
return results;
}
I'm sure that I'm doing something wrong, some ideas?
--
Salvatore Incandela
Middleware Consultant
------------------------------
Red Hat - www.redhat.com
Via Andrea Doria 41M
00192 Roma (Italy)
Mobile +39 349 6196615
Fax +39 06 39728535
E-mail salvatore.incandela(a)redhat.com
7 years, 10 months
Re: [keycloak-user] [Keycloak][Ldap Federation][Custom User LDAP Filter]
by Kevin Berendsen
Hi,
Depending on the implementation of your LDAP server, 'uid' is most likely the unique identifier so not once should there be two LDAP entries with the same value.
If you're searching based on your uuid which most likely set to 'uid', then other conditions shouldnt matter as only one can return anyway.
Remove 'uid' from your baseDN could fix your issue.
Even better to help you out, could you send your LDAP federation config? Leave out all the information that you may consider sensitive such as passwords.
- Kevin
On 8 Feb 2017 10:46 am, Salvatore Incandela <salvatore.incandela(a)redhat.com> wrote:
This is what is see from log files:
*2017-02-08 10:36:41,667 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-44) Found ldap object and populated with the attributes. LDAP Object:
LDAP Object [ dn: uid=example,ou=People,dc=example,dc=it , uuid: example,
attributes: {uid=[example], userPassword=[[B@6ba1b2f0],
mail=[example(a)example.it <example(a)example.it>], givenName=[example],
sn=[example], title=[disabled], modifyTimestamp=[20170207194557Z],
createTimestamp=[20170207114007Z]}, readOnly attribute names: [givenname,
sn, userpassword, mail, uid, modifytimestamp, title, createtimestamp] ]*
Why in the case of UUID search the Custom User LDAP Filter is ignored?
On Wed, Feb 8, 2017 at 9:03 AM, Marek Posolda <mposolda(a)redhat.com> wrote:
> On 07/02/17 16:12, Salvatore Incandela wrote:
>
>> Hi Guys, I'm configuring keycloak 7.0 with Ldap Federation, I put a custom
>> query in the *Custom User LDAP Filter* parameter ("(title=enabled)"), but
>> this seems to be ignored.
>> Looking on the LDAPIdentityStore.fetchQueryResults method. It seems that
>> once an EqualsCondition was found this one is considered and the others
>> ignored.
>>
>> *if (condition instanceof EqualCondition) {*
>> .
>> .
>> return results;
>> }
>>
> Nope, if you look at the code more deeply, you can find that this one is
> used just for the special case when you query by UUID.
>
> Maybe it can help to enable TRACE logging for the class
> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore in your
> standalone.xml . With this enabled, you should be able to see some
> additional logging messages in server.log like:
>
> TRACE Using filter for LDAP search: ...
>
> you can see in which DN you're searching and how exactly your LDAP filter
> looks like. Hopefully this can help to figure what is wrong.
>
> Marek
>
>
>> I'm sure that I'm doing something wrong, some ideas?
>>
>>
>
--
Salvatore Incandela
Middleware Consultant
------------------------------
Red Hat - www.redhat.com<http://www.redhat.com>
Via Andrea Doria 41M
00192 Roma (Italy)
Mobile +39 349 6196615
Fax +39 06 39728535
E-mail salvatore.incandela(a)redhat.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 10 months
How to check whether user account is activated
by Shaikh Asrafali Anwarali
Hi,
I need to check whether user account is activated or not, below is the scenario
Whenever we create user and assign some temporary password, so that user changes password immediately after login.
immediately after login message is prompt
"You need to change your password to activate your account."
Wherein user needs to set his new password.
So question is until new password is set account is not activated, so by which property can we know that user account is not activated. I need to check this in my new custom required action.
Regards,
Asraf Shaikh
7 years, 10 months
Issues starting up keycloak after DB migration to 2.2.1 from 1.8.0
by Nathan McGinnis
Hi Everyone,
I'm unable to start our keycloak server and could some assistance. Just to
give a quick recap of background and steps we've taken..
We've been using keycloak 1.8.0 for a while and are in the process of
migrating to a 2.2.1 instance in AWS. We're running standalone HA mode
with two nodes behind a public ELB. I have configured JDBC Ping to save
session state across both nodes in preproduction and it works there. I have
configured production the same way as preprod (we're also using Chef so I
know its configured the same).
In production, we've taken a backup of the keycloak postgresql DB (1.8.0)
and restored it to the keycloak DB our 2.2.1 instance is pointed to. I
have set migrationStrategy to manual and it produced a .sql file to run.
We had some issues running it related to indicies and tables and such
already existing so we decided to run each statement line by line. This
got us past the "Database not up-to-date" error, but we're now seeing this
in the server.log which causes the startup to fail. Does anyone have an
idea what the problem could be?
2017-02-07 17:16:50,380 ERROR [org.jboss.msc.service.fail] (ServerService
Thread Pool -- 55) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service jboss.undertow.deployment.
default-server.default-host./auth: java.lang.RuntimeException:
RESTEASY003325: Failed to construct public org.keycloak.services.
resources.KeycloakApplication(javax.servlet.ServletContext,
org.jboss.resteasy.core.Dispatcher)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.
run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
public org.keycloak.services.resources.KeycloakApplication(
javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(
ConstructorInjectorImpl.java:162)
at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(
ResteasyProviderFactory.java:2209)
at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(
ResteasyDeployment.java:299)
at org.jboss.resteasy.spi.ResteasyDeployment.start(
ResteasyDeployment.java:240)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
init(ServletContainerDispatcher.java:113)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(
HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(
LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(
RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(
LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(
ManagedServlet.java:231)
at io.undertow.servlet.core.ManagedServlet.createServlet(
ManagedServlet.java:132)
at io.undertow.servlet.core.DeploymentManagerImpl.start(
DeploymentManagerImpl.java:526)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.
startContext(UndertowDeploymentService.java:101)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.
run(UndertowDeploymentService.java:82)
... 6 more
Caused by: javax.persistence.EntityNotFoundException: Unable to find
org.keycloak.models.jpa.entities.ClientEntity with id
asdfg123-123x-123e-1xx1-sdkasdjf7123
at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImp
l$JpaEntityNotFoundDelegate.handleEntityNotFound(
EntityManagerFactoryBuilderImpl.java:144)
at org.hibernate.proxy.AbstractLazyInitializer.checkTargetState(
AbstractLazyInitializer.java:242)
at org.hibernate.proxy.AbstractLazyInitializer.initialize(
AbstractLazyInitializer.java:159)
at org.hibernate.proxy.AbstractLazyInitializer.getImplementation(
AbstractLazyInitializer.java:266)
at org.hibernate.proxy.pojo.javassist.JavassistLazyInitializer.invoke(
JavassistLazyInitializer.java:68)
at org.keycloak.models.jpa.entities.ClientEntity_$$_jvst1c4_8.getRealm(
ClientEntity_$$_jvst1c4_8.java)
at org.keycloak.models.jpa.RealmAdapter.getMasterAdminClient(
RealmAdapter.java:1234)
at org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(
CachedRealm.java:241)
at org.keycloak.models.cache.infinispan.RealmCacheSession.
getRealm(RealmCacheSession.java:379)
at org.keycloak.migration.migrators.MigrateTo1_9_0.
migrate(MigrateTo1_9_0.java:45)
at org.keycloak.migration.MigrationModelManager.migrate(
MigrationModelManager.java:74)
at org.keycloak.services.resources.KeycloakApplication.migrateModel(
KeycloakApplication.java:221)
at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(
KeycloakApplication.java:162)
at org.keycloak.services.resources.KeycloakApplication$
1.run(KeycloakApplication.java:121)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(
KeycloakModelUtils.java:295)
at org.keycloak.services.resources.KeycloakApplication.
<init>(KeycloakApplication.java:112)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(
NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(
ConstructorInjectorImpl.java:150)
... 19 more
7 years, 10 months
External Username, Password, Email... dataset with Keycloak
by Reed Lewis
Hi,
We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak.
Can this be done with some modification of federation?
We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.
Thank you,
Reed Lewis
7 years, 10 months
