How to customize the timeout page?
by Pieter Lukasse
In keycloak there is a nice option to set a custom "Theme" for the login
page. But is there also a way to customize the timeout page? Or to let the
timeout page redirect automatically to the login page?
Thanks,
Pieter
www.thehyve.nl
E pieter(a)thehyve.nl
T +31(0)30 700 9713
M +31(0)6 28 18 9540
Skype pieter.lukasse
We empower scientists by building on open source software
7 years, 3 months
Keycloak cross-dc standalone vs standalone-ha
by Vikrant Singh
Hi,
Recently there was a blog on cross dc support for keycloak
http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html
We have done something similar to that with one difference. In our
deployment we have keycloak in standalone mode rather than standalone-ha.
All keycloak instances are using same db. With this setup we are
successfully able to achieve HA across same dc and cross dc both.
Is there any benefit of using standalone-ha over standalone? since all
clustering requirement will be handled by external infinispan server.
Thanks!
7 years, 3 months
Keycloak security proxy: Access token in cookie support
by Jonathan Lin
Hi all,
I have two clients, one for the API server (bearer-only), and another for front end (public), both in the same realm.
I have set up the Security Proxy that comes with Keycloak (http://www.keycloak.org/docs/3.3/server_installation/topics/proxy.html <http://www.keycloak.org/docs/3.3/server_installation/topics/proxy.html>) with the following config. I am using Golang, hence am unable to use an official adapter.
{
"target-url": "http://localhost:9090",
"send-access-token": false,
"bind-address": "localhost",
"http-port": "8080",
"applications": [
{
"base-path": "/",
"adapter-config": {
"realm": "demo-realm",
"resource": "api-server",
"auth-server-url": "http://auth.server/auth",
"ssl-required": "external",
"enable-cors": true,
"cors-allowed-methods": "GET,POST",
"cors-allowed-headers": "Authorization",
"disable-trust-manager": true,
"bearer-only": true,
"token-store": "cookie"
},
"constraints": [
{
"pattern": "/*",
"authenticate": true
},
{
"pattern": "/bar",
"permit": true
}
]
}
]
}
This works fine with the Authorization: Bearer header, where the token was obtained by the front end public client. But I need authentication when using <img> or <object> src URL attributes as well. Hence I need to be able to send the access token via cookie. Putting “token-store”: “cookie” doesn’t seem to do anything for me.
Any pointers?
Thanks,
Jonathan
7 years, 3 months
Custom Account implementation and In-App Password changes
by Ilya Korol
Hi, is there any API for implementing custom version of UserAccount? We
are going to create separate User Account app for our users where they
could manage their data (names, telephones etc.), passwords and
company-specific settings. Almost all of per-user management except OTP
could be implemented via calls to Admin REST API, but it seems a little
hacky. So is there any suggestions or experience about creating
substitution for out-of-the box Account app?
7 years, 3 months
SSO session timeout with OIDC client and SAML client?
by Peter K. Boucher
We have a realm with two clients, one is a Java web app with OIDC, and the
other is a 3rd-party app with SAML.
If a user navigates to the SAML app and works there for 30 minutes or more
(our realm's "SSO Session Idle" setting), then they get logged out of the
OIDC app (we think because once you get in and start using the SAML app, no
more authentications are requested and no refresh token requests are made).
Has anyone seen this? Is our theory correct? Do you know of a fix or
workaround?
Thanks!
Regards,
Peter Boucher
7 years, 3 months
Detect existing IdP session
by Adam Keily
Hi,
Forgive me if this is a dumb question. I'm just wondering if it's possible for keycloak to detect that a user has already authenticated to a configured IDP before being presented the the login page. E.g.
We have multiple IDP's configured in Keycloak. Facebook, Google, corporate ADFS. If they have an existing session, can that be detected e.g.
1. User is already authenticated to ADFS
2. They attempt to access a KC protected application.
3. Instead of having to click the IDP link on the KC login screen to be redirected to ADFS and back again, they are instead just authenticated using their existing ADFS session.
I know about kc_idp_hint and default IdP but this is more a case where a user might be already authenticated to one of multiple IDP's. Something like "Detected ADFS session. Continue as ADFS userA?". I guess if you've authed to more than one IDP it could be a problem.
Thanks
Adam
7 years, 3 months
Keycloak as an Identity Broker Encrypting SAML Assertions
by Jason Spittel
Hello,
I'm trying to integrate with InCommon federation, using Keycloak as an Identity Broker.
Workflow is JEE app <--> Keycloak Broker <--> InCommon IdP.
The problem is that InCommon requires SAML Assertion Encrypting. As far as I can see, in the Keycloak IdP setup, I can only set the signing for document.
Looking at this SPSSODescriptor from Keycloak:
<EntityDescriptor entityID="ENTITY_ID_FOR_IDP"><SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<KeyDescriptor use="signing"> <dsig:KeyInfo> <dsig:KeyName>ASDFASDFASDF</dsig:KeyName> <dsig:X509Data> <dsig:X509Certificate>qwerqwerqwer</dsig:X509Certificate> </dsig:X509Data> </dsig:KeyInfo></KeyDescriptor>
........
</SPSSODescriptor>
</EntityDescriptor>
The KeyDescriptor is not for 'signing' and not for 'encrypting'. How do I set that flag?
Thanks,
Jason
7 years, 3 months
Keycloak SSO Nextcloud
by Rapp Loïc
Hi !
I’ve try to connect Keycloak to Nextcloud with user_saml plugin.
Someone have already do that? Because I’ve already do that with LemonLDAP:NG (A French sso server), and It’s working, but not with Keycloak.
Thanks à lot!
Rapp Loïc
Service Technique
Technicien Réseau
Ligne directe : +33 (0)3 69 22 67 18
--
Économisons le papier.
N'imprimez ce mail que si nécessaire.
7 years, 3 months
Multi attribute authorization check
by Nathan Hoult
I have a use case where I need to check if a (user)+(company) is authorized
for a client resource.
Example:
user + companyA = resourceA granted
user + companyB = resourceA denied
The user may have multiple browser sessions logged into the same client so
I can't just set a KC user attribute "company=companyA". The service will
know, based on cookie or something, what the company ID is and can pass
that information to KC which can then return if that resource is authorized.
I tried:
1) Scope per company: I got close but it seemed to be the wrong use of
scope. I ran into some issues but if this was the way to do it I can look
at it again.
2) Realm per company: then the user would have multiple accounts, clients
would have to trust multiple Realms, added/removing companies would require
a Realm setup, and any clients resources changes would require an update in
each Realm. There is also the problem of a resource being controlled by
multiple authorization servers seems wrong (
https://github.com/pingidentity/mod_auth_openidc/issues/199).
I have thought about a hybrid approach but didn't think it was the right
way to do it even if it worked: 1 client realm with all users and clients,
that realm trusts multiple per company reals, then a user logs into a
company realm that the client converts to the client realm but puts in the
token which realm the user came from.
I could write my own service, let the applications deal with their own
resource permissions, or make KC plugin that does what I want, but if KC
can't do it by default does anyone know of another AuthZ implementation
that could?
I could be thinking about the problem all wrong to begin with so any input
is appreciated.
Thanks,
- Nathan
7 years, 3 months
