June 2017 - keycloak-user - Jboss List Archives

Is there a form/basic fallback option for Keycloak SAML adaptor for Tomcat?

by ken edward

Hello, Looking at the Keycloak SAML adaptor for Tomcat I see that it seems to say the login authentication parameter from the web.xml are "ignored" (can't say SPNEGO, BASIC). Is there any way to implement FORM based authentication fallback for the Keycloack SAML Adaptor? <login-config> <auth-method>BASIC</auth-method> <realm-name>this is ignored currently</realm-name> </login-config> https://keycloak.gitbooks.io/documentation/securing_apps/topics/saml/java... Can something like this be done: <login-config> <auth-method>SPNEGO</auth-method> <realm-name>SPNEGO</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config> Ken

7 years, 7 months

1
0
0 / 0

Activate only features needed using cluster

by Fabien SINTES

Hello, I need to design a secure infrastructure with many zones (vlan, fw filtering...). Is it possible to separate this roles : - URI for token Delivery, authentification (openid connect, oauth) - internal user database (or is it possible only if external ldap server is used ?) - Admin UI - Admin Rest API This différents servers would be in cluster (sync allowed by filtering between zones). I have understand it is possible to configure "localhost" for this services but is it possible to disable it ? and having all this roles working fine in cluster ? Thank you. Fabien.

7 years, 7 months

1
0
0 / 0

Is there a SAML SP valve for tomcat and ADFS?

by ken edward

Hello, I have an Idp (my ADFS) and I have a tomcat server with a simple j2ee web application. I know I can stand up a key cloak sever, and use an SP adapter for tomcat, BUT is there a way to simply install a tomcat SP valve/libs that would talk to the IdP and bypass having to install the keycloak server ? Kinda like this picketlink implementation: https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink Ken

7 years, 7 months

2
1
0 / 0

Default Realm Roles Not Set When role-ldap-mapper is configured for AD

by Adrian Matei

Hi everyone, When I configure an LDAP Role Mapper for Active Directory the Default Roles of the Realm are not set anymore when a user registers himself or if I create one via the Keycloak Admin Console. Configuration: Mapper type: role-ldap-mapper LDAP Roles DN: subtree in AD Role LDAP Attribute: cn Role Object Classes: group Membership LDAP Attribute: member Membership Attribute Type: DN Membership User LDAP Attribute: uid Mode: LDAP_ONLY User Roles Retrieve Strategy: LOAD_ROLES_BY_MEMBER_Attribute Use Realm Roles Mapping: ON Does anyone have a solution, or should I create a Jira Issue for that? Best regards, Adrian

7 years, 7 months

2
3
0 / 0

spring-sec-adapter - impersonating

by java_os

Would has any pointers on implementing sso where admin could impersonate an existing user. Flow: ng-client(aquires the token - public client) -> rest api (Keycloak bearer client) Read this thread but was left out : http://lists.jboss.org/pipermail/keycloak-user/2015-April/001945.html Appreciate it.

7 years, 7 months

3
3
0 / 0

Log as a group feature

by Fabien SINTES

Hello, I'm looking for an IAM SSO system with the following feature, I'm just Learning about open id connect... : I need to allow a user to "log as a group" and inform the client (remote web site). It seems not possible with keyloak but I would happy to find a solution (other iam allow this feature but I would prefere redhat support). I think I could add an information in the json token witch would mean "I am fabien, I am member of this groups and I want you to identify me as FinancialGroup". With json information like user:fabien, impersonation:FinancialGroup.... The client (remote web site) would read json information and will authenticate the user fabien but using his group to identify the user for different internal actions. Do you think it is Something possible and a good practice ?! In this case, it is also needed to custom login page to permit the user to choose this option "user:... , pwd..., login as...". And the combo box for "login as" should list the user groups available. Is it possible ? Sorry for my English... Thank you very much. Fabien

7 years, 7 months

1
0
0 / 0

Login a Java Fat Client with Windows Kerberos Token agains Keycloak backed by AD?

by Malte Finsterwalder

Hi, I have the following setup: I'm programming a Java Fat Client application. I want to integrate it into SSO with Keycloak. Our Keycloak is connected to our Windows Active Directory (AD). So my idea is, that my Fat Client uses the Windows 7 Kerberos Token and sends that to Keycloak. Keycloak should authorize the token agains the AD and send back an authorization token to the Fat Client, so I can later use this Keycloak token to access other Rest-Services. Fat Client (with Kerberos Token) -> Keycloak -> AD Fat Client (with Keycloak Token) -> REST-Service I can't find anything in the documentation regarding this szenario. Is this possible? And if so, how? Greetings, Malte

7 years, 7 months

2
1
0 / 0

How to change link to verify-email in email template?

by Alex Berg

I have a proxy running which proxies "www.mydomain.com/auth/" to "mykeycloakhost/auth/realms/MyApp/". I think it's less noisy for users of my website. In dev, when I have keycloak send a "verify email" action, the URI in the email is "localhost:8080/auth/realms/MyApp/login-actions/ execute-actions?key=the-key" How do I change this URI in the "verify email" email to be "localhost:8080/auth/login-actions/execute-actions?key=the-key"? I see it's calculated like: UriInfo uriInfo = session.getContext().getUri(); UriBuilder builder = Urls.actionTokenBuilder(uriInfo.getBaseUri(), token.serialize(session, realm, uriInfo)); String link = builder.build(realm.getName()).toString(); - Source: /services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java#L139 <https://github.com/keycloak/keycloak/blob/70d7e07526546cd20d8cbbc6d055759...> I'm not great at understanding Java and OO, so I can't figure how where "session.getContext()" is defined. How are other people solving this? Should I just remove the link variable in the email template and use a hardcoded link?

7 years, 7 months

2
2
0 / 0

Java Admin client with signed JWT

by Denny Israel

Hi, i am using the java admin client to configure my keycloak instance. At the moment i use client secrets to authenticate against keycloak but want to use a signed JWT. I know how to enable the signed JWT Auth in Keycloak and how to pass a JWT via authorization() method to KeycloakBuilder (at least i think it would work ;-)). Is there a convenient way to create such a token? What should such a token contain? The javadoc of KeycloakBuilder gives example usages of username/password and client secret authentication but not of JWT authentications. best regards Denny

7 years, 7 months

1
0
0 / 0

Unable to set proxy on identity brokering (apache http client)

by Boutin Damien

Hello, We are hardly trying to configure our access to our IDP, using a proxy. After quick look in the source code, it looks that some changes have been done in the SimpleHttp class, used to access token endpoint of the idp, to use the Apache Http Client. (jira https://issues.jboss.org/browse/KEYCLOAK-2486) Looking in the "org.keycloak.connections.httpclient.HttpClientBuilder" class, I don't see any configuration in RequestConfig that could allow to use system properties, or explicit proxy configuration. Could you tell me if I'm looking at the wrong place or if I missed something ? Thanks in advance.

7 years, 7 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user June 2017