Upgrading from Red Hat SSO 7.0 to Keycloak 3.1
by Marcelo Nardelli
Hi,
At work, we have an installation of Red Hat SSO 7.0 and we were going to
upgrade it to version 7.1. However, I was told that the our Red Hat
subscription won't be renewed, so now we want to upgrade to the last
Keycloak version. Is this (upgrade from SSO 7.0 to Keycloak 3.1) supported?
I've been trying to follow the instructions on the documentation (
https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationF...),
but it's not working. Specifically, when I try to run the migration script
(after copying the old standalone.xml and the keycloak-server.json file)
jboss-cli.sh --file=migrate-standalone.cli
I get this error:
Cannot start embedded server: WFLYEMB0021: Cannot start embedded
process: Operation failed: WFLYSRV0056: Server boot has failed in an
unrecoverable manner; exiting. See previous messages for details.
I suppose the Keycloak version used in SSO 7.0 is too old and I will have
to do some manual work here, but I wanted to know if there is some specific
advice for this case...
Thanks,
Marcelo Nardelli
7 years, 4 months
keycloack -2fa with sssd
by Ionut Culda
Hello
I have tried to configure keycloak for IPA users which it worked fine but when i tried to enable two factor authentication is not working (it says that users are readonly) any workarounds?
Thank you
7 years, 4 months
Export who has what access
by James Green
This is coming up from an ISO 27000 audit point - who exists and what do
they have access to, and can we verify this.
I see an export button but this does not include users or what they are
given.
Perhaps this could be done via the API somehow?
Thanks,
James
7 years, 4 months
extra password policy, interesting?
by lists
Hi,
Recently we were under attack of a botnet, trying out passwords for our
accounts, and we learned a lot from it. :-)
We learned the kinds of passwords and variations that were tried, and
how they were composed. Therefore, I would like to suggest an extra
password policy: a list of forbidden words (like an expression blacklist)
We noticed that the botnet actually took often-occuring words from our
website, and tried those for passwords, often adding things like: a
year, or a part (subdomain or domain) of our email addresses.
(username(a)subdomain.domain.com)
So, now we know what passwords are tried, but we have no way of
prohibiting those passwords/terms. We can only ask our users not to use
those words in their passwords.
If we could define blacklisted words, that would help (us) a lot.
(and perhaps others too?)
MJ
7 years, 4 months
Keycloak node cannot join cluster, initial state transfer timed out
by Matt Evans
We're running keycloak clustered with standalone-ha.xml, and it's been working fine.
We changed the 'owners' of the distributed caches for session, loginFailures etc to 2 so that it will distribute those caches across the 2 nodes in the cluster.
Now, when I remove a node and add a new node, the new node fails to start some of the services, due to:
org.infinispan.commons.CacheException: Initial state transfer timed out for cache sessions on xxxx
Is this because it's actually taking too long to fetch the initial cache data from the other node? Is it due to the size of the cache, or some other issue?
What can I do to address this so that I can add the node back into the cluster?
I'm not experienced at all in infinispan or jgroups, so any pointers on how to query the servers to see whats in the caches, and how to see what's actually happening will be appreciated!
Thanks
Matt
7 years, 4 months
Keycloak LDAP User Validation
by felix.straub@kaufland.com
Hello together,
I have to following issue:
I added LDAP/AD User federation to my keycloak server version 3.2.0.Final.
So far so good everything is working I can import all the users and then
can validate the users against the LDAP.
But the target is that no user gets imported to keycloak. Thats working,
too. Just switched off the import button.
If I try to login now with my LDAP-credentials an error comes up. The error
on the keycloak login page says: "Unexpected error when handling
authentication request to identity provider".
In the keycloak log it throws a "ReadOnlyException".
But if I look into the sessions there is an active session with the user I
tried to login.
Did I miss any settings that keycloak can authenticate the user against
LDAP/AD without importing all the users?
Thank you for your help.
Mit freundlichen Grüßen
Felix Straub
+49 7132 94 920297
Kaufland Informationssysteme GmbH & Co. KG
Postfach 12 53 - 74172 Neckarsulm
Kommanditgesellschaft
Sitz: Neckarsulm
Registergericht: Stuttgart HRA 104163
7 years, 4 months
1 realm multiple ldap providers with username collisions
by Wim Vandenhaute
Hello list,
What would be the advisable way of handling following use case:
1 application authn using keycloak with a realm with > 1 ldap configurations
But in 2 or more of those ldap's there are equal usernames.
How can we for user1 make sure ldap1 is used and for user2 ldap2?
I.e. for example where we could provide a login form with the
username/password but with an additional dropdown that has the configured
ldap providers in it.
What would be the advisable way of handling such a situation?
Is there any support for this that I am missing?
Would having 2 realms be the only way to handle this right now?
p.s.
We are developing against keycloak 2.5.5 at the moment
Kind regards,
Wim.
7 years, 4 months
Service account user attributes
by Daniel Storey
Hello
I would like to use service accounts to allow my OIDC clients to obtain access tokens using the client credentials grant. Furthermore, I'm trying to find a way to define additional attributes for each service account client so that I can map them to custom claims via a protocol mapper.
I notice that Keycloak creates an internal user for each service account in its database, but the user is not visible/editable through the admin UI. Therefore, I am unable to create attributes for the service account user as I can for 'normal' users.
I think I can define custom claims for a service account using a protocol mapper (something like the "hardcoded claim" mapper), assuming I can distinguish service account requests from user requests in the mapper. If this approach is not recommended, I would be very grateful if you could suggest an alternative.
Kind regards
Dan
7 years, 4 months
Customize consent UI
by Remi CASSAM CHENAI
Hi,
I would like to customize the user consent screen when OIDC is used.
After login screen, keycloak shows to the user a consent screen containing ressources (scope) needed by the RP (client).
In this screen, the client is identified by its name (eg. : «My-app»), given in the admin console (configure/clients/settings/name).
I would like to identify the client in the consent screen by its redirect uri (eg. : «www.my-app.com/callback»). Or, even better, the main domain of the redirect uri (eg. : «www.my-app.com»).
I guess i need to change something in the theme directory but could you help me with that please?
Many thanks,
Rémi
7 years, 4 months
password policy | federation to AD
by mj
Hi,
REALM federated to active directory, with password requirements like:
- required 1 uppercase
- required 1 digit
- required 1 lowercase
- required 1 special character
- min 8 characters
- cannot contain username
- max age 180 days
Now, when I logon keycloak, I am asked to change my password. Correct.
But when I provide a bad password like "123", I would expect keycloak to
say something like: "ERROR: this password does not meet the password
complexity requirements, please use ..." etc.
However, the only message I receive with a password like "xyz" is:
"Could not modify attribute for DN
[CN=username,CN=Users,DC=ad,DC=company,DC=com]"
So how is the user supposed to know what the configured password
requirements are..?
This is on keycloak 3.1.0 btw.
Advise?
MJ
7 years, 4 months
