group mapper per client
by Ronald Demneri
Hello everyone,
Please forgive me if this was already asked previously. After creating the LDAP connection (read-only) and some LDAP mappers, I am trying to figure out a way how to allow login to clients for users in respective groups in AD, for example for client app1 allow login to users that are members of AD_group_app1; if account is not a member of the app1 group in AD, then he should not be allowed to login. Is it also possible to do it via role mappings? Please note that we'd like to avoid modification of AD at all costs.
Thanks in advance,
Ronald
6 years, 2 months
Keycloak realm detection from email domain
by Scott Hezzell
Hi
I am building a multi-tenant mobile application that uses keycloak as a SSO server. We will pre-load users in keycloak using their email address as their username with a separate realm for each tenant. When a user logs into the mobile app I need to detect the realm from a user's email domain and redirect to the appropriate authorisation end point for the realm. Has anyone faced a similar problem?
My thoughts at the moment is to build a proxy api that the mobile application redirects to that prompts the user for their email address, look up the configured tenant form the email domain and redirects to the appropriate realm's login page passing the mobile app credentials it passes to the proxy api and the entered user email as a login_hint.
Can anyone see any issues with this approach? Or a suggest a better approach?
Thanks
Scott
6 years, 2 months
Realm resolution by username
by Ian Duffy
Hi all,
I'm using keycloak in a multi-tenant scenario where each tenant is a realm
and the clients are duplicated across them.
The username for each user is an email address of username(a)tenant.tld
Is there any way to use the @tenant.tld part of the email address as a
realm resolver and have all users access the system
via the same login page?
Thanks,
Ian.
6 years, 2 months
Saas muti-tenant architecture with multi-step authentication process
by Olivier Rivat
Hi,
*1) introduction*
I have a multi-tenant architecture deployed with keycloak.
At first, to investigate multi-tenant architecture, I have followed what
is available within keycloak:
documentation
* https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
examples:
* https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
The same application is deployed in both tenants with
* http://localhost:8080/multitenant/tenant1 and login as
user-tenant1, password user-tenant1
* http://localhost:8080/multitenant/tenant2 and login as user-tenant2,
password user-tenant2
When you specify http://localhost:8080/multitenant/tenant1, you are
redirected to tenant1, and you need to authenticate.
*2) description of the problem*
The issue I am facing, is that I have a customer client application,
which can redirected to several diffrent realms.
The realm selction is based on the email address.
* user1(a)foo.com ---> should redirect to realm foo
* user2(a)bar.com ---> shou0dl redirect to realm bar
In fact, the email analsys shoudl redirect to the correct realm (foo or
bar , or more).
Once I have the login screen of the corresponding realm1, it is the as
in /introduction/, where user authenticates normally in his specific
tenant.
*3) Authentication workflow requirement*
In fact the authentication workflow process should be as follows:
*step1*
* General welcome panel
* the user enter his email address
* based on the analysis of his welcome address, the users is
redirected to a specific authentication realm (foo or bar or more)
*step 2*
* The user enter is login/password in realm login authentication screen
After analysis, it sounds like that the keycloak authentication process
needs to be updated/modified with
1. adding an extra additional step (which is a general form asking
for email)
2. based on teh email analysis, the corresponding tenant login
screen is presented to the tenant
3. the user authenticates to the tenant with his login/password.
*4) How to move forward*
For information, Azure and atlassian already implements such a
redirection mechanism in SAAS multi tenant architecture.
Keycloak documentation does not seem to mention about such a possibility
to tailor "out of the box" the authentication workflow to our needs.
Could the mechanism described above being achieved by customizing the
authentication workflow by developing a specific authentication SPI
plugin which could handles the both steps mentioned above ?
Does this approach sounds correct to you, or is it something to rule out ?
Or woudl you advise another approach ?
Tkx for your help.
Regards,
Olivier
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
6 years, 2 months
Configure EMail failed
by So Be
Hi,
as an administrator, I like to receive notifications when users log into
Keycloak.
I tried to configure the EMail for the realm but I got
Logged in user does not have an e-mail.
Any idea about what causing this?
Thank you.
6 years, 2 months
Realm resolution based on username (email address)
by Pedro Pedro
Hi.
I'm working on a multi tenant project where usernames are actually their email addresses and the domain of the email serves as a tenant identifier.
Now in Keycloak I'll have different realms per tenant, but I want to have a single login page for all tenants and the actual realm that will do the authentication to be somehow resolved by the username (email address).
How do I go about doing that?
Best regards, Pedro.
6 years, 2 months
setting up TLS(SSL) through the X509_CA_BUNDLE environment variable
by Meissa M'baye Sakho
hello everyone,
I'm using the jboss/keycloak:4.5.0.Final docker image.
I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment
variable as explained in the Jboss/keycloak docker image documentation.
I've mounted a volume to the image pointing to the cert file and defined
the env variable.
I'm running the image with the following command:
*docker run -d --name opengie -e KEYCLOAK_USER=meissa -e
KEYCLOAK_PASSWORD=meissa \*
* -e PROXY_ADDRESS_FORWARDING=true \*
* -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \*
* -v /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https
\*
* -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \*
* -e
JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \*
* -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \*
* jboss/keycloak:4.5.0.Final*
When The container starts, I've checked that the cert has been corectly
mounted to the expected folder /var/run/secrets
But I see in the log that the certificat import fails (extract below):
*Creating HTTPS keystore via OpenShift's service serving x509 certificate
secrets..*
*HTTPS keystore successfully created at:
/opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks*
*Creating Keycloak truststore..*
*Keycloak truststore successfully created at:
/opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks*
*Importing certificates from system's Java CA certificate bundle into
Keycloak truststore..*
*Failed to import certificates from system's Java CA certificate bundle
into Keycloak truststore!*
*Setting JGroups discovery to dns.DNS_PING with properties
{dns_query=>bdf-opengie-test.paas.eclair.local}*
I've checked in the script that handle the TLS import [1], but I'm not able
to guess why the import is failing.
The following extract is a part of the scripts that is used by the image to
import the cert.
# Import existing system CA certificates into the newly generated truststore
local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which
keytool)))"/../lib/security/cacerts")
if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" >
/dev/null; then
echo "Importing certificates from system's Java CA certificate bundle into
Keycloak truststore.."
keytool -importkeystore -noprompt \
-srckeystore "${SYSTEM_CACERTS}" \
-destkeystore "${JKS_TRUSTSTORE_PATH}" \
-srcstoretype jks -deststoretype jks \
-storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null
if [ "$?" -ne "0" ]; then
echo "Successfully imported certificates from system's Java CA certificate
bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}"
else
echo "Failed to import certificates from system's Java CA certificate
bundle into Keycloak truststore!"
fi
Any advice?
[1]=
https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5...
Meissa
6 years, 2 months
Add CA certificates for LDAPS ?
by Mathieu Poussin
Hello.
What would be the recommended way to add a custom CA certificates ? The documentation has a lot of different ways and so far none of them worked :
- The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store but looks like they are completely ignored by the app server.
- Added custom SPI to load a custom JKS store, same, no error at server start but they are completely ignored by the app server.
This is the error I am getting :
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
... 99 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 105 more
Another option would be to disable certificate verification on LDAPS as it's a trusted environment (last resort but well so far nothing else worked), would there be a way to do that?
Connecting over LDAP is not an option a this prevent some features to work like password reset.
Thanks.
6 years, 2 months
Account Page Fields
by Aaron Echols
Hello All,
How hard is to modify or add fields that could be modified in the users
account page? It would be nice to add a personal email field to have be
able to send their password reset email to. Currently, they can only send
to their employee addresses, which if they forget their password, makes the
email a moot point. Thank in advance for any ideas. :)
--
*Aaron Echols*
6 years, 2 months
