Can KeyCloak support Multi-lateral SAML federation?
by Chris Phillips
Hi.
I’m going through assessing KeyCloak as being able to be an Identity Provider in a multi-lateral SAML federation context and am seeking insight from the users and devs involved in KeyCloak.
For an IdP to be considered interoperable in a multi-lateral SAML trust federation context, IdPs need to be able to do a base set of functions. These are some of the critical (but not only) ones:
* Retrieve, with a configurable frequency (usually hourly), an online metadata aggregate
* validate the signature on the aggregate
* when signature validity is verified, load all the entities (Identity Providers/Service Providers) to be trusted or used in trust decisions in the Identity Provider.
I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could be missing something.
Is anyone using KeyCloak in this manner or are there plans for this functionality on KeyCloak’s technical roadmap?
Some additional items to decorate my ask for information..
To give an idea of scale, the aggregates I want to work with have ~4500 entities with 2800 IdPs and 2100 SPs and need to be refreshed hourly.
The list of items important for interoperability can be seen here with the ones I called out above appearing in section 2.2.1:
https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html
I’ve searched the keycloak-users list a bit and came across the reference to EntitiesDescriptor which lead me to this issue and code update in KeyCloak: https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to think that the support for reading in aggregates is not possible and maybe engineered out of the product itself. Am I right in thinking that?
Thoughts and insights welcome..
Chris.
___________________________________________________________________________________________
Chris Phillips
Technical Architect, Canadian Access Federation, CANARIE| chris.phillips(a)canarie.ca<mailto:chris.phillips@canarie.ca> |GPG: 0x7F6245580380811D
7 years, 3 months
SAML RSAKeyValue causing error
by Dean Peterson
I am having trouble using Keycloak as the external provider to our
Websphere Application. I received the following response from IBM support:
I discussed the issue with our SAML SSO SME. He found in SAML token,
besides X509Certificate, it also contains RSAKeyValue (<dsig:RSAKeyValue>).
This document states:
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websp...
.
RSAKeyValue is supported for the KeyInfo element in a Signature. However,
the X.509 certificate is not available when using RSAKeyValue. When the
X.509 certificate is not available to the runtime, the signer of the SAML
Assertion cannot be checked against a truststore. If you want to receive
SAML Assertions that use RSAKeyValue you cannot configure the runtime to
use a truststore.
.
Can you config the idP so that it only sends X509 certificate, not RSAKey?
Is it possible to remove the RSAKeyValue from the saml token and still send
just the certificate?
7 years, 3 months
How to bind keycloak context to jsf session
by Andreas Lau
Hello,
can somebody please explain how I can integrate the keycloak in a jsf application?
I am using the wildfly adapter and I configured the login-config of the web.xml to use keycloak. Everything works fine. But now I'd like to access the access token and further get the id-token inside the SessionContext of some Beans.
Ideally I would like to bind the Information to the Session. So if the user logs out the keycloak session also gets closed and if he logs in the user infos are provided.
I found a project in the keycloak examples
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/t...
which seams to fill a User-Object at the beginning of the ServletContext and seems to do a logout in keycloak at its destroying.
I would like to know if this is a proper way to provide the user information in the secured area of the application. I am not quite sure because the log out technically does not mean that the ServeletContext gets destroyed, right?
I'm a bit confused, hopefully somebody can provide some help.
Thanks in advance.
7 years, 3 months
Keycloak Docker Quickstart
by Piergiorgio Lucidi
Hi,
I have just published a first version of a generic Keycloak SDK based on
Docker fully managed by Maven. I would like to understand if this first
work can be useful for the current Keycloak development.
I'm also interested to know if there are developers interested to
contribute in this project.
Article link:
https://www.open4dev.com/journal/2018/9/25/introducing-the-keycloak-docke...
Github:
https://github.com/OpenPj/keycloak-docker-quickstart
I'm wondering if this project can be improved as a Maven Archetype with
dynamic parameters for generating components only if needed by developers.
I mean without having all the Maven modules for components that you don't
need to extend or create.
Please let me know what you think and how this project can be extended to
become more helpful for the overall community.
Thank you and hope this helps.
Cheers,
PJ
--
Piergiorgio Lucidi
https://www.open4dev.com
7 years, 3 months
Problem with "clear_table_on_view_change" JDBC property on 4.4.0 and 4.5.0
by Mike Wakim
Hello,
We utilize Keycloak with MariaDB. Recently, we have tried working with
Keycloak 4.4.0 (and 4.5.0), and we started seeing a new issue that is
related to JGROUPS. It seems that Keycloak is not able to recognize the
"clear_table_on_view_change" jdbc paramter which we pass which is related
to discovery.
This is the error message that we are seeing:
2018-10-01 22:41:31,013 ERROR [org.jboss.msc.service.fail] (ServerService
> Thread Pool -- 50) MSC000001: Failed to start service
> org.wildfly.clustering.jgroups.channel.ee:
> org.jboss.msc.service.StartException in service
> org.wildfly.clustering.jgroups.channel.ee:
> java.lang.IllegalArgumentException:
> java.security.PrivilegedActionException:
> java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties:
> [clear_table_on_view_change]
> at
> org.jboss.as.clustering.jgroups.subsystem.ChannelBuilder.start(ChannelBuilder.java:100)
> at
> org.wildfly.clustering.service.AsynchronousServiceBuilder.lambda$start$0(AsynchronousServiceBuilder.java:99)
> at
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> at java.lang.Thread.run(Thread.java:748)
> at org.jboss.threads.JBossThread.run(JBossThread.java:485)
> Caused by: java.lang.IllegalArgumentException:
> java.security.PrivilegedActionException:
> java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties:
> [clear_table_on_view_change]
> at
> org.jboss.as.clustering.jgroups.subsystem.AbstractProtocolConfigurationBuilder.createProtocol(AbstractProtocolConfigurationBuilder.java:119)
> at
> org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:102)
> at
> org.jboss.as.clustering.jgroups.subsystem.ChannelBuilder.start(ChannelBuilder.java:98)
> ... 7 more
> Caused by: java.security.PrivilegedActionException:
> java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties:
> [clear_table_on_view_change]
> at
> org.wildfly.security.manager.WildFlySecurityManager.doUnchecked(WildFlySecurityManager.java:852)
> at
> org.jboss.as.clustering.jgroups.subsystem.AbstractProtocolConfigurationBuilder.createProtocol(AbstractProtocolConfigurationBuilder.java:114)
> ... 9 more
> Caused by: java.lang.IllegalArgumentException: Unrecognized JDBC_PING
> properties: [clear_table_on_view_change]
> at org.jgroups.stack.Protocol.setProperties(Protocol.java:144)
> at
> org.jboss.as.clustering.jgroups.subsystem.AbstractProtocolConfigurationBuilder.lambda$createProtocol$0(AbstractProtocolConfigurationBuilder.java:108)
> at
> org.wildfly.security.manager.WildFlySecurityManager.doUnchecked(WildFlySecurityManager.java:850)
> ... 10 more
>
> 2018-10-01 22:41:31,024 ERROR
> [org.jboss.as.controller.management-operation] (Controller Boot Thread)
> WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "jgroups"),
> ("channel" => "ee")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"
> org.wildfly.clustering.jgroups.channel.ee" =>
> "java.lang.IllegalArgumentException:
> java.security.PrivilegedActionException:
> java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties:
> [clear_table_on_view_change]
> Caused by: java.lang.IllegalArgumentException:
> java.security.PrivilegedActionException:
> java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties:
> [clear_table_on_view_change]
> Caused by: java.security.PrivilegedActionException:
> java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties:
> [clear_table_on_view_change]
> Caused by: java.lang.IllegalArgumentException: Unrecognized JDBC_PING
> properties: [clear_table_on_view_change]"}}
>
>
This error does not happen when we use Keycloak 4.2.1. Our configuration in
standalone-ha.xml for the tcp stack is the following:
> <stack name="tcp">
> <transport type="TCP" socket-binding="jgroups-tcp"/>
> <protocol type="org.jgroups.protocols.JDBC_PING">
> <property name="datasource_jndi_name">
> java:jboss/datasources/KeycloakDS
> </property>
> <property name="break_on_coord_rsp">
> true
> </property>
> <property name="clear_table_on_view_change">
> true
> </property>
> </protocol>
> <protocol type="MERGE3"/>
> <protocol type="FD_SOCK"
> socket-binding="jgroups-tcp-fd"/>
> <protocol type="FD"/>
> <protocol type="VERIFY_SUSPECT"/>
> <protocol type="pbcast.NAKACK2"/>
> <protocol type="UNICAST3"/>
> <protocol type="pbcast.STABLE"/>
> <protocol type="pbcast.GMS">
> <property name="max_join_attempts">
> 5
> </property>
> </protocol>
> <protocol type="MFC"/>
> <protocol type="FRAG2"/>
> </stack>
>
And we are using the JDBC driver version 2.2.6. It seems that the
clear_table_on_view_change property was removed from JGROUPS without any
documentation / explanation. Has anybody faced a similar issue? Any
thoughts on how to fix this?
Thanks,
Mike
7 years, 3 months
Disable strict-transport-security header on /auth url
by Tungatkar, Niranjan
I have a non-homogeneous set of services (https and http) which use keycloak for authentication.
My Keycloak instance supports SSL but the services but other services are http.
I have an admin user which access the https://keycloak-url:31443/auth url for user management.
I disabled the strict transport security header on all the realms, which stops strict-transport-security header being sent and thus preventing redirection to https.
But my problem is whenever the admin user hits the /auth url it sends strict-transport-security header which messes up my angular app.
Is there a way I can configure the response of /auth or the welcome page to stop sending the strict-transport-security header.
Thanks
Niranjan.
7 years, 3 months
slow role search
by Gideon Caranzo
Hi,
I'm running Keycloak with 1700 realms and API calls like getting a realm
now takes a lot of time. I profiled it and found that role checking is
causing the issue particularly *KeycloakModelUtils.searchFor(RoleModel
role, RoleModel composite, Set<String> visited)*.
I'm using a user with "admin" role to call get realm API. And since i have
1700 realms, "admin" role now have about 30K composite roles under it. The
line below from KeycloakModelUtils.searchFor() will load all 30K composite
roles causing the slow down.
*Set<RoleModel> compositeRoles = composite.getComposites();*
Is there a way to avoid this issue? Or is it possible to fix the code such
that it will do a database query instead of searching in memory to check if
the role exist?
Thank you,
Gideon
7 years, 3 months
Wrong error message while IDP integration
by Karol Buler
Hi,
I am testing Identity Brokering, so I tried to run two Keycloak instances in 4.5.0.Final version: MAIN and SECOND. SECOND is a Identity Provider for the MAIN instance. Everything is fine since redirecting from SECOND. In GUI of MAIN instance I am getting:
We're sorry...
An error occurred, please login again through your application.
In logs of MAIN:
10:36:11,122 WARN [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_code
Which is wrong, because after DEBUG enabled in Wildfly (MAIN) I found that code is successfully converted into access_token with the SECOND instance in request:
POST /auth/realms/master/protocol/openid-connect/token HTTP/1.1
SECOND doesn't log anything.
What is interesting and may be helpful -> few lines before WARN/error:
10:36:11,120 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the requests header
10:36:11,120 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the cookies field
10:36:11,120 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Found AUTH_SESSION_ID cookie with value 5edf6c51-d976-4dc5-a64d-c3d748847939.<hostname>
10:36:11,120 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the requests header
10:36:11,120 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the cookies field
10:36:11,121 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Found AUTH_SESSION_ID cookie with value 5edf6c51-d976-4dc5-a64d-c3d748847939.<hostname>
10:36:11,122 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the requests header
10:36:11,122 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the cookies field
10:36:11,122 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Found AUTH_SESSION_ID cookie with value 5edf6c51-d976-4dc5-a64d-c3d748847939.<hostname>
10:36:11,122 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-1) Authentication session not found. Trying to restart from cookie.
10:36:11,122 DEBUG [org.keycloak.protocol.RestartLoginCookie] (default task-1) KC_RESTART cookie doesn't exist
Best regards,
Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.
7 years, 3 months
Keycloak to authorise my REST API from admin console
by Matthew Torres
Good day!
I'm not sure if I am understanding the usage correctly for Keycloak's
authorisation functionality or not.
Suppose I have an Express REST Api with thousands of routes and the users
are authenticated using Keycloak. After grouping the routes and mapping it
to the correct roles I created a *Resource* in Keycloak admin dashboard.
After creating the resources and defining a URI related to my routes in the
field will it automatically protect my routes when a user accesses it? Or
do I need to explicitly assign the role in the middleware of my express
app. Now I know that the latter will work but I was wondering since I
specified the URI in the resource already will it not protect my routes?
Example:
If I have a resource called *ManageResource* with URIs:* /profile,
/create,* etc.
mapped with a Role based permission of *HR*. When a user named George
having a role of *janitor* accesses the route using a token. Without
explicitly defining the roles in the express app will it deny George of
accessing the resource?
I know the answer is no but is there a way for me to protect my routes
using only the keycloak admin dashboard?
*Sincerely,*
*Matthew Aldrin S. Torres*
7 years, 3 months
