SAML Identity Broker - First Login/Browser Flow - Password
by lason
Hi guys,
I am currently trying to implement the following SAML broker flow with KC
3.0.1.Final:
Assumption: User not known
User goes to App
User is redirected to KC
User is redirected to SAML IDP and is authenticated there with smartcard
User is redirected back to App
In KC user was created and the assertion attributes were mapped
Now user logs out
User goes to App
User is redirected to KC
User is redirected to SAML IDP and is authenticated there with smartcard
But now KC says invalid username or password
How can it be done, that on second time IDP brokering, the user is redirect
to the app without any password check by using the already existing KC user
info on username match (may updates the mapping beforehand in case saml
attributes changed)?
thanks
regards
lason
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-Identity-Broker-First-Login...
Sent from the keycloak-user mailing list archive at Nabble.com.
7 years, 4 months
domain-extension example fails to deploy
by Matt Evans
We're trying to build an spi to extend the database model, and have been having issues, so I thought I'd try the domain-extension example that we based our spi on, just to make sure it's our code that's the problem, and it seems that it's not. Unless we're doing something else wrong! :)
I cloned the source code and checked out the 3.2.1.Final tag, and built the whole project, to get the examples built. (I tried to 'mvn clean install' the examples folder in the distribution but it fails because it can't find the parent projects).
I've just downloaded and extracted 3.2.1.Final distribution, I then copied the `domain-extension-example.jar` from the source code to the `<distribution>\standalone\deployments` folder and then ran `bin\standalone.bat`.
It fails with the same issue that we are experiencing in our spi. I'm now struggling to work out why it's doing that, can anyone suggest what I'm doing wrong?
Thanks!
This is the log:
16:54:45,751 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 58) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: javax.persistence.PersistenceException: [PersistenceUnit: keycloak-default] Unable to build Hibernate SessionFactory
at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.persistenceException(EntityManagerFactoryBuilderImpl.java:954)
at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:882)
at org.keycloak.connections.jpa.util.JpaUtils.createEntityManagerFactory(JpaUtils.java:63)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lambda$lazyInit$0(DefaultJpaConnectionProviderFactory.java:201)
at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:544)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:130)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:78)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:56)
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:163)
at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:51)
at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:33)
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:163)
at org.keycloak.models.cache.infinispan.RealmCacheSession.getDelegate(RealmCacheSession.java:181)
at org.keycloak.models.cache.infinispan.RealmCacheSession.getMigrationModel(RealmCacheSession.java:174)
at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:70)
at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:243)
at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:184)
at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:134)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
... 19 more
Caused by: org.hibernate.MappingException: Could not get constructor for org.hibernate.persister.entity.SingleTableEntityPersister
at org.hibernate.persister.internal.PersisterFactoryImpl.createEntityPersister(PersisterFactoryImpl.java:123)
at org.hibernate.persister.internal.PersisterFactoryImpl.createEntityPersister(PersisterFactoryImpl.java:77)
at org.hibernate.internal.SessionFactoryImpl.<init>(SessionFactoryImpl.java:346)
at org.hibernate.boot.internal.SessionFactoryBuilderImpl.build(SessionFactoryBuilderImpl.java:444)
at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:879)
... 42 more
Caused by: org.hibernate.HibernateException: Unable to instantiate default tuplizer [org.hibernate.tuple.entity.PojoEntityTuplizer]
at org.hibernate.tuple.entity.EntityTuplizerFactory.constructTuplizer(EntityTuplizerFactory.java:91)
at org.hibernate.tuple.entity.EntityTuplizerFactory.constructDefaultTuplizer(EntityTuplizerFactory.java:116)
at org.hibernate.tuple.entity.EntityMetamodel.<init>(EntityMetamodel.java:388)
at org.hibernate.persister.entity.AbstractEntityPersister.<init>(AbstractEntityPersister.java:509)
at org.hibernate.persister.entity.SingleTableEntityPersister.<init>(SingleTableEntityPersister.java:124)
at sun.reflect.GeneratedConstructorAccessor98.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.hibernate.persister.internal.PersisterFactoryImpl.createEntityPersister(PersisterFactoryImpl.java:96)
... 46 more
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.GeneratedConstructorAccessor99.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.hibernate.tuple.entity.EntityTuplizerFactory.constructTuplizer(EntityTuplizerFactory.java:88)
... 54 more
Caused by: java.lang.RuntimeException: by java.lang.NoClassDefFoundError: org/hibernate/proxy/HibernateProxy
at javassist.util.proxy.ProxyFactory.createClass3(ProxyFactory.java:515)
at javassist.util.proxy.ProxyFactory.createClass2(ProxyFactory.java:492)
at javassist.util.proxy.ProxyFactory.createClass1(ProxyFactory.java:428)
at javassist.util.proxy.ProxyFactory.createClass(ProxyFactory.java:400)
at org.hibernate.proxy.pojo.javassist.JavassistProxyFactory.postInstantiate(JavassistProxyFactory.java:72)
at org.hibernate.tuple.entity.PojoEntityTuplizer.buildProxyFactory(PojoEntityTuplizer.java:177)
at org.hibernate.tuple.entity.AbstractEntityTuplizer.<init>(AbstractEntityTuplizer.java:157)
at org.hibernate.tuple.entity.PojoEntityTuplizer.<init>(PojoEntityTuplizer.java:63)
... 58 more
Caused by: javassist.CannotCompileException: by java.lang.NoClassDefFoundError: org/hibernate/proxy/HibernateProxy
at javassist.util.proxy.FactoryHelper.toClass(FactoryHelper.java:170)
at javassist.util.proxy.ProxyFactory.createClass3(ProxyFactory.java:507)
... 65 more
Caused by: java.lang.NoClassDefFoundError: org/hibernate/proxy/HibernateProxy
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:763)
at sun.reflect.GeneratedMethodAccessor314.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javassist.util.proxy.FactoryHelper.toClass2(FactoryHelper.java:182)
at javassist.util.proxy.FactoryHelper.toClass(FactoryHelper.java:164)
... 66 more
Caused by: java.lang.ClassNotFoundException: org.hibernate.proxy.HibernateProxy from [Module "deployment.domain-extension-example.jar:main" from Service Module Loader]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
... 73 more
7 years, 4 months
Importing Realms with Fixed keys
by John D. Ament
Hi,
I recently found out about the ability to import a realm on start up,
using keycloak.import. This works well, however I'm trying to use it to
fully automate a build end to end.
One of the hiccups I'm running into is that it seems I need to know about
the realm-public-key attribute. When I don't set this, I get 401's. When
I do set it and everything lines up, I'm able to authenticate
successfully. The problem is that I can't seem to set the public
key/private key, they can only be generated. This doesn't work if I'm
relying on a keycloak.json file.
So I guess first, why is realm-public-key required? If it is required, is
there a way to import a realm with the key already set? The
publicKey/privateKey attributes seem to be ignored in Keycloak 3.2.
John
7 years, 4 months
scripts or API to query attributes from an external SQL database, but don't keep them in Keycloak?
by Weijun Gao
Hi,
We have a SQL database with user groups but the database cannot be used
for authentication (no passwords). We want to authenticate users using
AD / LDAP, but get a user's group information from the SQL database
after authentication for authorization purposes (or sending to clients
as custom attributes) without saving these attributes / group info in
Keycloak:
1) authenticate using AD / LDAP
2) query user group info from the SQL database
3) authorize / send as custom attributes
There are many user groups in the SQL database, so we don't want to
maintain them in AD.
Can someone please shed some light on this? Methods / examples /
documentation? We are kind of new to Keycloak.
Thanks and regards,
Weijun
7 years, 4 months
Is there a way to use an OIDC IdP without any backchannel communication involved (like SAML 2.0 Web Browser SSO with HTTP-Post Binding)
by May Marcus, Bedag
Hi,
I'm looking into using Keycloak as a Broker in my SAAS platform to federate with foreign IdPs which aren't in my control.
So my scenario is that:
1. Customer navigates to his SP in my SAAS platform
2. SP redirects him to my Keycloak in my SAAS platform
3. Customer choses to login in with his IdP
4. Keycloak redirects Customer to the login page of his IdP
5. Customer accomplishes login to his IdP
6. IdP redirects the Customer to my Keycloak
7. My Keycloak provisions the user
8. My Keycloak redirects the user to his SP in my SAAS platform
9. SP accepts the login
For a proof of concept I tried to implement this scenario with two Keycloak instances, which aren't and shouldn't be able to communicate with each other. The only thing that should communicate with both Keycloak instances is the user agent, because I don't want the hassle that I have to establish a for example two-way-ssl connection between my SAAS Keycloak and foreign IdP.
My first attempt was using OpenID Connect, but then my SAAS Keycloak tried to get an access_token from the other Keycloak in step 7. That didn't work (as I expected and intended). So my question is: Is there a way to use an OIDC IdP without any backchannel communication involved?
My second attempt was using SAML 2.0 Web Browser SSO with HTTP-Post Binding. That did work fine.
Best regards
Marcus
7 years, 4 months
Facebook "picture" / additional scopes access
by Scott Dunbar
Hi all,
I've not dealt with a Facebook integration in a while and am ultimately
trying to get the "picture" attribute of a Facebook user. However, while I
see the code in
https://github.com/keycloak/keycloak/blob/2aa93d7d55869e3d262bef198e1059f...
that asks for some fields it is unclear how I add "picture" via the admin
console in "Identity Providers -> Facebook -> Default Scopes". If I put
the word "picture" in "Default Scopes" I get an error from Facebook:
"Unsupported scope: 'picture'. Supported scopes: ads_management ads_read
email offline_access user_friends"
I've tried "public_profile" and, while it doesn't give an error, it does
not return what I'm looking for:
2017-07-25 20:06:27,595 DEBUG [org.keycloak.social.user_profile_dump]
(default task-84) User Profile JSON Data for provider facebook:
{"id":"1234567890","name":"Scott
Dunbar","first_name":"Scott","last_name":"Dunbar"}
I'm obviously missing something - how do I add some "scopes" to what is
requested from Facebook?
Thanks for any help. I'll be doing the same for at least the Google
adapter next - any hints there?
--
Scott Dunbar
7 years, 4 months
/introspect always returns {"active":false}
by Alexander Chriztopher
Hi all,
Any idea about this point ? We always get : {"active":false} when we call
the api to make an intropection wether the access_token is valid or not.
Are there any params to tweek in the console to activate this service ?
These are the logs we get in Keycloak where every thing seems to work
nicely although i don't have all the details of whats going on :
2017-07-26 16:57:55,679 DEBUG [io.undertow.request.security] (default
task-14) Attempting to authenticate HttpServerExchange{ POST
/auth/realms/REALM/protocol/openid-connect/token/introspect request
{Accept=[*/*], Content-Type=[application/x-www-form-urlencoded ],
User-Agent=[curl/7.51.0], Authorization=[Basic
ZW1wLW51bS1sb2dpbi1jbGllbnQ6NzVjOWQ4ODMtNGY2YS00ZWMxLWEzZGQtNDU0YjE1ZjNlZDIx],
X-Forwarded-Proto=[https], X-Forwarded-Port=[443], Content-Length=[968],
Content-Type=[application/x-www-form-urlencoded], Host=[host.com]} response
{X-Powered-By=[Undertow/1], Server=[JBoss-EAP/7]}}, authentication
required: false
2017-07-26 16:57:55,679 DEBUG [io.undertow.request.security] (default
task-14) Authentication outcome was NOT_ATTEMPTED with method
io.undertow.security.impl.CachedAuthenticatedSessionMechanism@2724f346 for
HttpServerExchange{ POST
/auth/realms/REALM/protocol/openid-connect/token/introspect request
{Accept=[*/*], Content-Type=[application/x-www-form-urlencoded ],
User-Agent=[curl/7.51.0], Authorization=[Basic
ZW1wLW51bS1sb2dpbi1jbGllbnQ6NzVjOWQ4ODMtNGY2YS00ZWMxLWEzZGQtNDU0YjE1ZjNlZDIx],
X-Forwarded-Proto=[https], X-Forwarded-Port=[443], Content-Length=[968],
Content-Type=[application/x-www-form-urlencoded], Host=[host.com]} response
{X-Powered-By=[Undertow/1], Server=[JBoss-EAP/7]}}
2017-07-26 16:57:55,679 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-14) new
JtaTransactionWrapper
2017-07-26 16:57:55,679 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-14) was
existing? false
2017-07-26 16:57:55,680 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-14) RESTEASY002315: PathInfo:
/realms/REALM/protocol/openid-connect/token/introspect
2017-07-26 16:57:55,680 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-14)
AUTHENTICATE CLIENT
2017-07-26 16:57:55,680 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-14)
client authenticator: client-secret
2017-07-26 16:57:55,680 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-14)
client authenticator SUCCESS: client-secret
2017-07-26 16:57:55,680 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-14)
Client emp-num-login-client authenticated by client-secret
2017-07-26 16:57:55,680 DEBUG [org.keycloak.events] (default task-14)
type=INTROSPECT_TOKEN, realmId=REALM, clientId=emp-num-login-client,
userId=null, ipAddress=xx.xx.xx.xx, client_auth_method=client-secret
2017-07-26 16:57:55,680 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-14)
JtaTransactionWrapper commit
2017-07-26 16:57:55,680 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-14)
JtaTransactionWrapper end
2017-07-26 16:57:55,680 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-14) MessageBodyWriter:
org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey
2017-07-26 16:57:55,680 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-14) MessageBodyWriter:
org.jboss.resteasy.plugins.providers.ByteArrayProvider
2017-07-26 16:57:55,680 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-14) Interceptor Context:
org.jboss.resteasy.core.interception.ServerWriterInterceptorContext,
Method : proceed
2017-07-26 16:57:55,680 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-14) InterceptorWriter:
org.jboss.resteasy.plugins.interceptors.encoding.GZIPEncodingInterceptor
2017-07-26 16:57:55,680 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-14) Interceptor :
org.jboss.resteasy.plugins.interceptors.encoding.GZIPEncodingInterceptor,
Method : aroundWriteTo
2017-07-26 16:57:55,680 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-14) Interceptor Context:
org.jboss.resteasy.core.interception.ServerWriterInterceptorContext,
Method : proceed
2017-07-26 16:57:55,680 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-14) InterceptorWriter:
org.jboss.resteasy.security.doseta.DigitalSigningInterceptor
2017-07-26 16:57:55,680 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-14) Interceptor Context:
org.jboss.resteasy.core.interception.ServerWriterInterceptorContext,
Method : proceed
2017-07-26 16:57:55,681 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-14) MessageBodyWriter:
org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey
2017-07-26 16:57:55,681 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-14) MessageBodyWriter:
org.jboss.resteasy.plugins.providers.ByteArrayProvider
2017-07-26 16:57:55,681 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-14) Interceptor Context :
org.jboss.resteasy.core.interception.ServerWriterInterceptorContext, Method
: writeTo
Thanks for any help about this point.
7 years, 4 months
Re: [keycloak-user] Server 2016 ADFS won't accept descriptor
by Hynek Mlnarik
Just for info - I have just tried to setup AD FS 2012 according to the blog
post and there was no import error or anything reported, everything just
worked as it should. Did you manage to find out what was causing you the
issues?
--Hynek
On Fri, Jul 21, 2017 at 8:51 PM, Hynek Mlnarik <hmlnarik(a)redhat.com> wrote:
> In that case I don't think it is Keycloak issue but rather a AD FS or
> setup issue. Reportedly, there are people using AD FS 2016 brokering (see
> [1]) so there must be something else in the way. I'm curious what that can
> be. Firewall? Not using https? Using IP addresses instead of domain names?
> Just guessing, I don't know, and will be glad if you find out and share.
>
> --Hynek
>
> [1] http://lists.jboss.org/pipermail/keycloak-user/2017-March/010138.html
>
> On Fri, Jul 21, 2017 at 4:25 PM, John Craft <John.Craft(a)geocent.com>
> wrote:
>
>> Yep, it reports as valid.
>>
>>
>> This isn't supposed to be difficult.
>>
>>
>> I entered the params manually, it seemed to take them. I'll know more
>> when I finish and try the brokered connection.
>>
>>
>> Thanks.
>>
>>
>> JC.
>>
>>
>>
>>
>> ------------------------------
>> *From:* Hynek Mlnarik <hmlnarik(a)redhat.com>
>> *Sent:* Friday, July 21, 2017 8:00 AM
>> *To:* John Craft
>> *Subject:* Re: [keycloak-user] Server 2016 ADFS won't accept descriptor
>>
>> Have you tried the descriptor validation?
>>
>> On Fri, Jul 21, 2017 at 2:29 PM, John Craft <John.Craft(a)geocent.com>
>> wrote:
>>
>>> Sorry, I never get past the part in ADFS to set up the trust
>>> relationship. There is no event log as it never accepts the keycloak
>>> descriptor.
>>>
>>>
>>>
>>> John Craft
>>> Senior Software Engineer, GISP
>>> Geocent, LLC
>>> Cell : 601-299-1830 <(601)%20299-1830>
>>> Stennis Space Center MS
>>> www.geocent.com | John.Craft(a)Geocent.com
>>>
>>> On Jul 21, 2017, at 7:05 AM, Hynek Mlnarik <hmlnarik(a)redhat.com> wrote:
>>>
>>> Thanks. I am afraid more details would be needed, those from Windows
>>> Event Viewer. Furthermore, the descriptor should pass "metadata" type of
>>> validation [1], you can try that. If the descriptor passes, there is not
>>> much to be done on Keycloak side.
>>>
>>> [1] https://www.samltool.com/validate_xml.php
>>>
>>> On Fri, Jul 21, 2017 at 1:43 PM, John Craft <John.Craft(a)geocent.com>
>>> wrote:
>>>
>>>>
>>>> What is the Keycloak version?
>>>>
>>>> 3.1.0.Final
>>>>
>>>> What is URL for "help docs" - AFAIK
>>>> there is only a blog post and no docs within Keycloak documentation.
>>>>
>>>> http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as
>>>> -brokered.html
>>>>
>>>> <http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html>
>>>> Keycloak: How to Setup MS AD FS 3.0 as Brokered Identity ...
>>>> <http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html>
>>>> blog.keycloak.org
>>>> This document guides you through initial setup of Microsoft Active
>>>> Directory Federation Services 3.0 as a brokered identity provider Keycloak.
>>>> Keycloak server has ...
>>>>
>>>>
>>>> What error is reported by ADFS?
>>>>
>>>> Details of the error can usually be
>>>> found in Windows Event Viewer.
>>>> <pastedImage.png>
>>>>
>>>>
>>>>
>>>> --Hynek
>>>>
>>>> On Fri, Jul 21, 2017 at 3:28 AM, John Craft <John.Craft(a)geocent.com>
>>>> wrote:
>>>> > I've installed Windows Server 2016 with ADFS. When I try to create
>>>> the trust as per the Keycloak help docs, ADFS reports the descriptor as
>>>> malformed. Anybody had experience with this?
>>>> >
>>>> > John Craft
>>>> > Senior Software Engineer, GISP
>>>> > Geocent, LLC
>>>> > Cell : 601-299-1830 <(601)%20299-1830>
>>>> > Stennis Space Center MS
>>>> > www.geocent.com | John.Craft(a)Geocent.com
>>>> Geocent <http://www.geocent.com/>
>>>> www.geocent.com
>>>> Software Engineering. Custom Software; Service Oriented Architecture
>>>> (SOA) Business Intelligence and Analytics; Geospatial Information Systems;
>>>> Mobile Application ...
>>>>
>>>>
>>>> >
>>>> > Confidentiality Notice:
>>>> > This email communication may contain confidential information, may be
>>>> legally privileged, and is intended only for the use of the intended
>>>> recipients(s) identified. Any unauthorized review, use, distribution,
>>>> downloading, or copying of this communication is strictly prohibited. If
>>>> you are not the intended recipient and have received this message in error,
>>>> immediately notify the sender by reply email, delete the communication, and
>>>> destroy all copies. Thank you.
>>>> >
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user(a)lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> keycloak-user Info Page - JBoss Developer
>>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>> lists.jboss.org
>>>> To see the collection of prior postings to the list, visit the
>>>> keycloak-user Archives. Using keycloak-user: To post a message to all the
>>>> list members ...
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> --Hynek
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> --Hynek
>>>
>>>
>>
>>
>> --
>>
>> --Hynek
>>
>
>
>
> --
>
> --Hynek
>
--
--Hynek
7 years, 4 months
Adding recaptcha to lost-password (credential reset) flow
by Geadah, Nicolas (VEC)
What would be the best way to add recaptcha to the lost-password (credential-reset) flow? It seems like a pretty basic requirement, since this flow would most likely be abused via scripting if it were left without a captcha.
The registration captcha FormAction (RegistrationRecaptcha class) seems like a good starting point, but I can't figure out how to get my own custom FormAction into the reset credentials flow.
Thanks!
7 years, 4 months
