Group-Mapping
by Lahari Guntha
Hi All,
We are using keycloak of version 3.3.0.CR2.
I have my Keycloak integrated with LDAP.
I have configured many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP.
eg:
Users in LDAP: "user1"
Groups in LDAP: "group1","group2"
When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in the Keycloak UI page and we can also see the groups mapped to it.
Now I add the user "user1" into another group "group2"...
But now the newly added group is not reflected when click on User> Group Mapping.
Why Is this happening??
What is the solution to continuously sync the users with the groups they are present in/added newly automatically????
Thanks,
Lahari
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
6 years, 4 months
Keycloak Java Servlet Filter Adapter.
by Luis Rodríguez Fernández
Hello there,
I am using the java servlet filter adapter (
http://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet...)
in apache-tomcat 9 and it works like a charm, thanks! The filter class
is org.keycloak.adapters.saml.servlet.SamlFilter
I would like to fully externalize the keycloak configuration from the
deployed applications. I know that I can set the keycloack config file via
the filter config param keycloak.config.file, to some external path like
/usr/local/my-keycloak-saml.xml, brilliant!
In the other hand the SamlFilter(
https://github.com/keycloak/keycloak/blob/master/adapters/saml/servlet-fi...)
looks for the keystores inside of the application context: usually
something like /WEB-INF/my-keystore.jks. This is due the implementation of
the ResourceLoader.getResourceAsStream(String resource) function. It looks
like something like this:
ResourceLoader loader = new ResourceLoader() {
@Override
public InputStream getResourceAsStream(String resource) {
return filterConfig.getServletContext().getResourceAsStream(resource);
}
};
In ServletContext.getResourceAsStream(java.lang.String path) the path param
must begin with a "/" and it is interpreted as relative to the current
context root. I would be in favor of having the possibility of externalize
this resource, perhaps having somethig like:
//First try the original one
InputStream is =
filterConfig.getServletContext().getResourceAsStream(resource);
if(is=null) {
// Try with an external one
try {
is = new FileInputStream(resource);
} catch (FileNotFoundException e) {
throw new RuntimeException(e);
}
}
Any thoughts on this?
Thanks in advance,
Luis
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
6 years, 5 months
lock user after being inactive for certain period
by Sachin Rastogi
Hi all,
We need to disable / lock user if user doesn't login into system for
certain period (such as after 10 days or so). I couldn't find an option to
enable. Please guide me.
Regards,
SR
6 years, 6 months
Keycloak & Okta
by John D. Ament
Hi
Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to
authenticate (both SP initiated and IdP initiated) it fails with this error
01:40:54,626 WARN [org.keycloak.events] (default task-7)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null,
userId=null, ipAddress=172.17.0.1, error=staleCodeMessage
01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService]
(default task-7) staleCodeMessage
I suspect its a setup issue on my side, so was hoping someone else has
tried this and can give tips. I even tried the import feature, no luck.
John
6 years, 6 months
Entitlement request with additional parameters
by Corentin Dupont
Hi guys,
I use the entitlement API to check access control on my resources. Here I
check if a user can update a sensor:
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
$TOKEN" -d '{
"permissions" : [
{
"resource_set_name" : "Sensors",
"scopes" : [
"sensors:update"
]
}
]
}' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
But I would like to make complex policies that check additional parameters,
such as sensor status etc.
How can I pass along the additional parameters to the request, and use them
in my policies? I use javascript policies mainly.
Thanks
Corentin
6 years, 6 months
Wrong event after email verify started by REST (send-verify-email)
by pieter.dekinder@bricsys.com
Hi all,
We are using the REST API Keycloak to trigger an email verification email.
(.../send-verify-email)
When the verification process is done, the EVENT logged is a
CUSTOM_REQUIRED_ACTION event.
Email verification is not a customization, so it should probably be logged
as VERIFY_EMAIL.
Is this expected behaviour? Or can this be considered is as a bug?
Kind regards,
Pieter
6 years, 7 months
LDAP failover
by Vinay
Does keycloak provide LDAP failover i.e. provide two LDAP URLs while
creating an LDAP provider so that users can be search on both primary and
secondary LDAP server ? This is required for high availability ?
6 years, 7 months
Modify roles in Token after user login SPI
by Sandeep Rai
Hi Community,
I'm trying to add more roles into the token after the token has been
generated following the isValid() return of the Authentication SPI.
I have a application which has SMS otp functionality. After the user has
verified the OTP I want to grant more roles to the user by adding those
roles into the token. But how do I modify the existing token or even renew
it with new roles ?
Is there a endpoint I can use to do so ? Or anyother ProviderInterface that
I can use to achieve this ?
Regards
6 years, 7 months
Programmatically login as a user
by valsaraj pv
Hi,
I have web application login via Keycloak working fine. But for a
background processing like reading messages from a queue, need to login as
a dedicated queue user behind the scenes. For this we can't redirect to
login page. Earlier it was done pro grammatically by using JAAS login
context and passing login module & credentials. Now when we switch to KC,
what is the appropriate model to do this?
Please advice!
Thanks!
6 years, 7 months
