Group-Mapping
by Lahari Guntha
Hi All,
We are using keycloak of version 3.3.0.CR2.
I have my Keycloak integrated with LDAP.
I have configured many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP.
eg:
Users in LDAP: "user1"
Groups in LDAP: "group1","group2"
When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in the Keycloak UI page and we can also see the groups mapped to it.
Now I add the user "user1" into another group "group2"...
But now the newly added group is not reflected when click on User> Group Mapping.
Why Is this happening??
What is the solution to continuously sync the users with the groups they are present in/added newly automatically????
Thanks,
Lahari
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
7 years, 2 months
Keycloak Proxy Rename
by Bruno Oliveira
Good afternoon,
We are considering to transfer or fork the keycloak-proxy[1] to Keycloak
organization. In order to accomplish that, I've been working with Rohith
updating some of its dependencies[2].
While discussing with our team, we reached the conclusion that call it a
proxy could potentially increase the scope of the project and also give
people the wrong idea. Because would be expected things like load balancing,
rate limiting, and other features. That's not what we want right now.
I would like to gather some feedback from the community before we move forward.
So please vote on the following Doodle:
https://doodle.com/poll/gux626ktscgpr96t
Also, feel free to suggest other names and it will be included.
[1] - https://github.com/gambol99/keycloak-proxy
[2] - https://issues.jboss.org/browse/KEYCLOAK-7265
--
abstractj
7 years, 2 months
Keycloak Java Servlet Filter Adapter.
by Luis Rodríguez Fernández
Hello there,
I am using the java servlet filter adapter (
http://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet...)
in apache-tomcat 9 and it works like a charm, thanks! The filter class
is org.keycloak.adapters.saml.servlet.SamlFilter
I would like to fully externalize the keycloak configuration from the
deployed applications. I know that I can set the keycloack config file via
the filter config param keycloak.config.file, to some external path like
/usr/local/my-keycloak-saml.xml, brilliant!
In the other hand the SamlFilter(
https://github.com/keycloak/keycloak/blob/master/adapters/saml/servlet-fi...)
looks for the keystores inside of the application context: usually
something like /WEB-INF/my-keystore.jks. This is due the implementation of
the ResourceLoader.getResourceAsStream(String resource) function. It looks
like something like this:
ResourceLoader loader = new ResourceLoader() {
@Override
public InputStream getResourceAsStream(String resource) {
return filterConfig.getServletContext().getResourceAsStream(resource);
}
};
In ServletContext.getResourceAsStream(java.lang.String path) the path param
must begin with a "/" and it is interpreted as relative to the current
context root. I would be in favor of having the possibility of externalize
this resource, perhaps having somethig like:
//First try the original one
InputStream is =
filterConfig.getServletContext().getResourceAsStream(resource);
if(is=null) {
// Try with an external one
try {
is = new FileInputStream(resource);
} catch (FileNotFoundException e) {
throw new RuntimeException(e);
}
}
Any thoughts on this?
Thanks in advance,
Luis
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
7 years, 3 months
lock user after being inactive for certain period
by Sachin Rastogi
Hi all,
We need to disable / lock user if user doesn't login into system for
certain period (such as after 10 days or so). I couldn't find an option to
enable. Please guide me.
Regards,
SR
7 years, 4 months
SAML Advice assertion with signature
by Arjan Lamers
Hi,
We are running KeyCloak 3.4.3-Final for a client and are running into trouble with an identity provider (the dutch eHerkenning) that is using SAML Advice tags.
We were running an older version of KeyCloak and recently that identity provider started to use <saml:Advice> tags in their responses. We found https://issues.jboss.org/browse/KEYCLOAK-5644, adding support for the Advice tag and that made us upgrade to 3.4.3. However, this patch does not seem to be complete.
The patch there ignores the Advice tag when parsing the document. This is fine. However, in our case, the Advice contains two Assertions, both of which are signed (have a Signature tag). The document verification seems to also validate these signatures. This is a problem, since we do not have the keys for these advices, hence the validation fails.
We have been advised to fully ignore the Advice tag, including the underlying signatures. I am not a SAML expert but that feels a bit wrong. Any thoughts on that?
However, if we do want to go down this road, we would probably patch this in
org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(Document signedDoc, final KeyLocator locator)
by skipping over nodes that have an ‘Advice’ parent.
Would that be an appropriate approach? Would you be interested in such a patch?
Met vriendelijke groet,
Arjan Lamers
Software Architect
+31 (0)6 23 82 24 05
a.lamers(a)first8.nl
https://www.first8.nl <http://www.first8.nl/>
Linkedin https://www.linkedin.com/in/arjanl <https://www.linkedin.com/in/profiel-id>
Kerkenbos 1059b
6546 BB Nijmegen
Bekijk hier de algemene voorwaarden van Conclusion <https://www.conclusion.nl/kleine-lettertjes/algemene-voorwaarden>
7 years, 4 months
Re: [keycloak-user] Keycloak Server boot has failed in an unrecoverable manner
by Shaik Salam
Hi,
We have installed docker on linux operating system in vm and running keycloak server as container.
Tying to restart server(ex: ./bin.standalone.sh) but boot is failed due to following port conflicts.
Could you please let us know is any modifications needed on ports or interface's ip address for respective files(ex: standalone.xml,host.xml etc).
Please provide suitable solution and in which files modification needs to do, to rectify following errors and find log file for more information.
Thanks in advance.
11:10:48,087 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) MSC000001: Failed to start service org.wildfly.undertow.listener.default: org.jboss.msc.service.StartException in service org.wildfly.undertow.listener.default: Address already in use /127.0.0.1:8080
at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:179)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
11:10:48,325 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service org.wildfly.management.http.extensible: org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: java.net.BindException: Address already in use /127.0.0.1:9990
at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:340)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
11:10:48,388 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service org.wildfly.undertow.listener.https: org.jboss.msc.service.StartException in service org.wildfly.undertow.listener.https: Address already in use /127.0.0.1:8443
at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:179)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
failure description: {
"WFLYCTL0080: Failed services" => {"org.wildfly.management.http.extensible" => "java.net.BindException: Address already in use /127.0.0.1:9990"},
"WFLYCTL0288: One or more services were unable to start due to one or more indirect dependencies not being available." => {
"Services that were unable to start:" => ["org.wildfly.management.http.extensible.shutdown"],
"Services that may be the cause:" => ["jboss.remoting.remotingConnectorInfoService.http-remoting-connector"]
}
}
11:10:49,024 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0288: One or more services were unable to start due to one or more indirect dependencies not being available." => {
"Services that were unable to start:" => [
"jboss.deployment.discovery.\"keycloak-server.war\"",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"com.sun.faces.config.ConfigureListener\".START",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.faces.webapp.FacetTag\".START",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.servlet.jsp.jstl.tlv.PermittedTaglibsTLV\".START",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.servlet.jsp.jstl.tlv.ScriptFreeTLV\".START",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"org.jboss.resteasy.plugins.server.servlet.HttpServlet30Dispatcher\".START",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"org.keycloak.services.filters.KeycloakSessionServletFilter\".START",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"org.keycloak.services.listeners.KeycloakSessionDestroyListener\".START",
"jboss.deployment.unit.\"keycloak-server.war\".deploymentCompleteService",
"jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service",
"jboss.undertow.deployment.default-server.default-host./auth"
],
"Services that may be the cause:" => ["jboss.remoting.remotingConnectorInfoService.http-remoting-connector"]
}}
BR
Salam
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
7 years, 4 months
Get all users for a given client with consent
by Henning Waack
Hi.
Is it possible to get a list of all users who have given their consent for a specific client? I am working with KC 4.0 (and Spring Boot 2.0).
Thanks & greetings
Henning
7 years, 4 months
Keycloak on Kubernetes - HTTPS required
by Pavlov, Yordan
Hi all,
I’m evaluating Keycloak as IAM for one open source project [1], so far, I’ve tested it successfully on a minikube (local) Kubernetes cluster and I want to run it in on a real cluster.
The real cluster (created by Gardener [2]) is running on AWS and the access to the Keycloak is exposed through an Ingress controller [3].
We’ve also installed “cert-manager” for automated certificates management of Let’s Encrypt issued certificates.
So far so good, but when I try to login to the “Admin Console” I get the following error:
“We're sorry... HTTPS required”
In the logs of the pod, there is the following warning:
“WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6, error=ssl_required”
As far as I understand, the Let’s Encrypt certificated is trusted by the browsers and it appears to be trusted by the OpenJDK also [4].
Then what should be done in order to access the Admin Console?
Last but not least, we are using jboss/keycloak:latest image (I know that we should be using some stable version like 4.0.0, but it appears that the issue is not related to the image version).
Regards,
Yordan Pavlov
[1] ProMART: https://github.com/promart-io | https://www.promart.io/
[2] Gardener: https://github.com/gardener
[3] Keycloak: https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
[4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757
7 years, 4 months
