Keycloak DB - field and table description
by Pavlos Kaimakis
Hi there,
I've been trying (unfortunately in vain) to find in the documentation some information regarding the database the keycloak tool is using.
More specifically, I am interested in finding :
a)a list of all the tables it contains along a short description of what their purpose is and
b)what fields (columns) these tables have
Can anybody help me out with this or at least point me to a document outlining the above?
Thanks in advance
Pavlos
Pavlos Kaimakis
Systems Engineer
| t: +30.2106930664
| e: pkaimakis(a)omilia.com
| w: www.omilia.com
6 years, 8 months
Re: [keycloak-user] Multiple User Storage Providers
by Ryan Slominski
Hey Dominik,
Now I understand: the multiple user storage providers is for when you have multiple database of **unique** usernames. In my case I have two databases and one is a subset of the other (100% duplicates) and there is a one-to-one match of usernames/email addresses. In other words the company has an LDAP database and the department has its own database with a subset of global users so we can enforce a separate unique password for some "special" systems. However, on the web either password should work. It sounds like the custom authenticator might be a good option. Would SPNEGO still work for either (the example doesn't show an API for dealing with that)?
Thanks,
Ryan
----- Original Message -----
From: "Dominik Guhr" <pinguwien(a)gmail.com>
To: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Wednesday, May 2, 2018 3:53:20 AM
Subject: Re: [keycloak-user] Multiple User Storage Providers
Hi Ryan,
here a few thoughts and suggestions from my side:
For a customer, I implemented a kc 3.4.3 custom user storage provider
for his "old" applicationdb, together with 2 Kerberos-using ldap
providers which I added via admin page. This works very well, so-far, so
what exactly does not work with your providers and priority?! Why is
"only the first one used"? What you mention in 3., is the "normal" way
to go in keycloak(*)
That said, there are several examples on github here:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_keycloak_... which are a
great starting point.
(*) Might have something to do with this:
In the scenario I mentioned, it's possible that the usernames are not as
unique as they should be. There's a john.doe in ldap1 and a john.doe in
ldap2, different companies etc..
So, keycloaks "normal" flow is: look in provider 1 -> username matches?
great! Password matches? Nope! -> send error!
we had the requirement to use a multi-password approach, which was quite
easy to setup with a custom authenticator which does it like this:
look in provider 1 -> username matches? great! password matches? nope!
-> go over all the ldaps of the realm and search for same username ->
yep, there's one -> match pw -> ok, login!
Feel free to reach out if that might be the problem.
6 years, 8 months
Re: [keycloak-user] Multiple User Storage Providers
by Ryan Slominski
Hi Marek,
I'm looking for comments and suggestions on integrating multiple Kerberos realms into a single Keycloak realm (SSO namespace). I initially overlooked the possibility of using identity provider brokering, but I'm not 100% sure that's the best option. Here is a summary of ways I've discovered so far:
1. Use identity provider brokering. However, automatically linking accounts without prompting users to authenticate is not supported (https://issues.jboss.org/browse/KEYCLOAK-7270). This kind-of defeats the purpose as users end up having to provide both credentials to create the link and login.
2. Create a new custom user storage provider. Looks very complicated and fragile. Any examples of this to look at? Would this even work with SPNEGO for either or only for one?
3. Figure out what the heck configuring a Keycloak realm with multiple user storage providers and ordering them is supposed to do. Still very confused as why you can configure it. If Keycloak tried one and then tried the next if the first failed that would be great (account lockout from incorrect password count threshold would need to be set high on first one, but probably fine).
4. Use client-side multi-tenancy. Each client can choose which Keycloak realm to authenticate to. Each Keycloak realm has a different Kerberos realm in a one-to-one mapping. This creates a complicated logic burden on clients and must be duplicated on all clients, and SSO token generated would vary based on actual realm chosen as opposed to having a single universal SSO token for the domain.
5. Use Kerberos Cross-Realm trusts. Probably works, but Jira suggests this is untested (https://issues.jboss.org/browse/KEYCLOAK-3842). This is not a great option in our case because we only trust users from the other realm on the web, not on workstations or anywhere else and don't want to change what "anyone with an account" means, and introduce extra risk requiring assigning users to a new group and relying on group authorization.
6. Instead of Keycloak just use mod_auth_kerb and SSSD (https://www.freeipa.org/page/Web_App_Authentication). A hack integration, but might be easier.
What have others done? Thoughts? Suggestions? None of these options are great.
Thanks,
Ryan
----- Original Message -----
From: "Ryan Slominski" <ryans(a)jlab.org>
To: "Marek Posolda" <mposolda(a)redhat.com>
Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Friday, February 9, 2018 9:46:25 AM
Subject: Re: [keycloak-user] Multiple User Storage Providers
Thanks Marek,
I am using 3.4.3, but the two Kerberos realms are not configured in a cross realm trust (I want the web apps in one specific Keycloak realm to trust either realm, but that trust shouldn't be universal and System Admins don't want to trust other realms for Workstation logins and cross realm trust would require new authorization considerations as it changes what "anyone with an account" means). Is cross realm trusts the only way to do what I'm after?
Ryan
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Ryan Slominski" <ryans(a)jlab.org>, "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Friday, February 9, 2018 9:04:56 AM
Subject: Re: [keycloak-user] Multiple User Storage Providers
Hi,
which Keycloak version are you using? In 3.4.3, we added support for the
scenario when the kerberos realms are in trust with each other (hence
you need just 1 LDAP/Kerberos UserStorageProvider and 1 keytab). Could
you try with 3.4.3 and see if it helps? Otherwise please create JIRA
with the steps to reproduce and ideally with server.log (with DEBUG
option enabled on LDAP storage providers and with DEBUG logging
described in "Troubleshooting" section of our Kerberos documentation).
Thanks,
Marek
Dne 9.2.2018 v 14:51 Ryan Slominski napsal(a):
> Hi Keycloak users,
> I'm looking for tips on how to migrate from mod_auth_kerb to Keycloak. I have two Kerberos realms, and one is a subset of the other: DOMAIN.ORG and INTERNAL.DOMAIN.ORG. The mod_auth_kerb handles this scenario beautifully and I simply have a service principal for each Kerberos realm in the keytab and Apache httpd will login the user if they are in either of the Kerberos realms. For Keycloak adding two Kerberos user storage providers, one at priority 1, and another at priority 2 doesn't seem to work. Only the first one used. What are other people doing to handle this? Creating a custom User Storage Provider? Client side multitenancy? Perhaps if I use two LDAP servers instead of two KDCs it could work (I assume from the priority field of user storage provider API that something must be allowed to be paired together)?
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
6 years, 8 months
Re: [keycloak-user] User Attribute Search
by Stephen Montgomery
Hi,
I can see Keycloak has a GET /admin/realms/{realm}/users with a “search” query parameter that offers LIKE type query on username, first/last name, email attributes only - https://www.keycloak.org/docs-api/3.4/rest-api/index.html#_users_resource.
We’d like to be able to search for users that have particular application-defined attributes (that we define as Keycloak user attributes - https://www.keycloak.org/docs/3.3/server_admin/topics/users/attributes.html) eg we have attributes for notifications/timezones etc:
critical_notification_channel EMAIL##SMS
language UK English
major_notification_channel EMAIL##SMS
minor_notification_channel EMAIL##SMS
time_zone GMT
Is this possible to eg, search for those users that have attributes major_notification_channel = ‘SMS’ and in GMT timezone?
If not, any plans to implement a change request to offer an enhanced query?
Thanks,
Stephen
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
6 years, 8 months
Keycloak on Wildfly 12 running EE8
by Mario Peck
Did anyone have any success running the Keycloak Elytron Adapter for
Wildfly on Wildfly 12 running in EE8 mode (ee8.preview.mode=true)? It is
not working for me. Anyone?
6 years, 8 months
