identity broker SAML logout with redirect
by Madhu
Hi
I am looking at configuring keycloak as an identity broker usign SAML, the external idm i am integratin supports a logout url and also takes a queryParam for redirecting the user after logut.
how can i pass the redirectURL of keyclock's logout to this external IDM in the broker configuration.
i tried parameterizing the logouturl link in my keycloak config by specifying ${redirectURL} and this did not work out of the box, is there any way i can pass the redirect url of keycloak to external idm as a query para? e.g https://externalIDM/logout?logoutURk=${redirectURL}
My external idm does not seem to support back channel logouts.
IF i donot configure logut, the external idm does not logout the user, if id do not specify the postlogout url to external idm , the user is redirected to the external idms default login page. my intention is to redirect the user to keycloak login page with the app/client context..
Regards,Madhu
6 years, 5 months
Federating LDAP server to Keycloak crashed with Out Of Memory error
by Chenyuan Zhang
Hi there,
We were trying to add a LDAP user federation provider with around 5000 users. But the process crashed with out of memory error:
2018-06-02 06:54:35.900 UTC INFO Sync changed users finished: 393 imported users, 4532 updated users, 8 users failed sync! See server log for more details (Timer-2) [org.keycloak.storage.ldap.LDAPStorageProviderFactory]
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Brute Force Protector"
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-74"
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-330"
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Periodic Recovery"
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-332"
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "default task-324"
2018-06-05 07:08:55.594 UTC ERROR java.lang.OutOfMemoryError: Java heap space (default task-333) [stderr]
Here’re the options we used:
JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Duser.timezone=UTC
From what I read, it seems like Keycloak import users from LDAP to our production database through a periodic background task.
But I’m not sure what happened in the memory level that caused the OutOfMemory error. Does keycloak cache all data in memory during the sync process? Is there any configuration I can set to avoid this error? Is there a user number limit given our JAVA Options?
Any suggestion would be appreciated.
Thanks a lot,
Chenyuan
6 years, 5 months
Import User Passwords with User Storage SPI
by Omari Christian
Hello everyone,
We're currently migrating to Keycloak. We're using the user storage SPI (
https://www.keycloak.org/docs/latest/server_development/index.html#import...)
with the import strategy. Eventually, we will unlink all our users and no
longer need the user storage SPI.
The problem is: 1) We really want our users to keep their same passwords
and 2) we don't store passwords in plaintext. We store them as salted
hashes, using a different algorithm than Keycloak. We verify the password
by performing that 1-way hash on a user's supplied password, then comparing
the result against the hash in the database. Reverse-hashing our user's
passwords into plaintext and importing users through the REST API or JSON
file is not a solution for us.
It seems there is no interface to store passwords in Keycloak's local
storage after you have verified the user's password, although you can store
other attributes locally. I thought there was a way to migrate users with
passwords, partly because I read articles that promised you could (
https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime-8dcab9e...)
before we chose Keycloak. I now realize that article (and accompanying
code) are out of date.
My next plan is to try some hacky code, or calling the REST API from the
user storage SPI. I don't have a lot of hope those will work. I imagine
this is a common issue. Is there any solution or workaround?
Thanks,
Omari
6 years, 5 months
Admin client in OSGI env
by Nhut Thai Le
Hello,
I'm using the admin-client in my app running in an OSGI container to query
permissions on keycloak server. However since admin-client uses resteasy
which switch class loader to the current thread class loader before
building proxy, some of the classes that resteasy need may not be available
at runtime. Is there any way I can work around this class loader issue
cause by resteasy?
Thai
6 years, 5 months
Re: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost
by Ryan Slominski
Hi Dmitry,
I think what I am seeing now can be explained by this bug:
https://issues.jboss.org/browse/KEYCLOAK-2784
Historically my application would allow non-authenticated users to browse most pages, but if you login you see more content. Before converting to Keycloak I was using the Java Servlet container managed security programmatic login. Now I have an anchor (link) to Keycloak. It seems I might need to setup some tricks as it appears the Wildfly client adapter doesn't support this use-case of tracking authenticated users on programmatically-protected (non-container protected) pages.
Also, for completeness, I forgot to add in the last email that to get around the localhost proxy issue I actually had to add an Apache rule 'RequestHeader set X-Forwarded-Proto "https"' and also update Wildfly with the following commands on the CLI:
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
I also had to configure a trust store in Wildfly (cacerts file) with my Keycloak server PKI certificate.
If I navigate to one of the few fully container protected pages the username (principal) does become recognized - although it is an unfriendly format: "f:<user storage ID>:<username>"
Ryan
----- Original Message -----
From: "Ryan Slominski" <ryans(a)jlab.org>
To: "Dmitry Telegin" <dt(a)acutus.pro>
Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Thursday, August 9, 2018 8:06:08 AM
Subject: Re: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost
Hi Dmitry,
Yes, that seems to be it. I am using Apache reverse proxy to get my Wildfly application on port 8080 accessible over port 443. My proxy rule was using localhost instead of myserver.example.com and after replacing localhost with actual hostname now it seems to be working. I say seems to be working because I now get past the localhost redirect issue, but it doesn't seem like the servlet container acknowledges I'm logged in. I am redirected back to the application with a parameter session_state=<long string of characters and numbers>. However, the EL expression on the return page: "${pageContext.request.userPrincipal eq null}" is showing true - suggesting that the Wildfly servlet container doesn't know I'm logged in. Does the Wildfly client adapter not integrate with container managed security?
Thanks,
Ryan
----- Original Message -----
From: "Dmitry Telegin" <dt(a)acutus.pro>
To: "Ryan Slominski" <ryans(a)jlab.org>, "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Wednesday, August 8, 2018 7:23:54 PM
Subject: Re: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost
Hi Ryan,
Is your Wildfly (not Keycloak) behind a reverse proxy?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Wed, 2018-08-08 at 16:34 -0400, Ryan Slominski wrote:
> Hi Keycloak Users,
> I'm attempting to setup a Wildfly application as a client to Keycloak and an issue I'm seeing is that if I navigate my web browser to a protected resource I am redirected to Keycloak as expected, but the return URL (redirect_uri parameter) is to localhost, not back to my actual hostname, say "myserver.example.com". This breaks the process with the Keycloak error "Invalid parameter: redirect_uri". How do I configure the Wildfly client adapter to generate a redirect_uri to my actual hostname instead of to localhost? When I browse my Wildfly application on unprotected pages I'm using the actual hostname already. In Wildfly standalone.xml I've set inet-address for public to 0.0.0.0 to replace 127.0.0.1. I've also updated the host element default-host alias to match myserver.example.com to replace "localhost". Neither of those changes made a difference.
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
6 years, 5 months
Restrict access to client based on Group policy
by So Be
Hi,
is there an option to avoid access to a client after a successful login at
the external idp?
I don't want tpo provide access to everyone.
I created a group and want that only who are in this group can continue
using the service.
Any support on this?
Thank you.
Sofiane.
6 years, 5 months
Re: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost
by Ryan Slominski
Hi Dmitry,
Yes, that seems to be it. I am using Apache reverse proxy to get my Wildfly application on port 8080 accessible over port 443. My proxy rule was using localhost instead of myserver.example.com and after replacing localhost with actual hostname now it seems to be working. I say seems to be working because I now get past the localhost redirect issue, but it doesn't seem like the servlet container acknowledges I'm logged in. I am redirected back to the application with a parameter session_state=<long string of characters and numbers>. However, the EL expression on the return page: "${pageContext.request.userPrincipal eq null}" is showing true - suggesting that the Wildfly servlet container doesn't know I'm logged in. Does the Wildfly client adapter not integrate with container managed security?
Thanks,
Ryan
----- Original Message -----
From: "Dmitry Telegin" <dt(a)acutus.pro>
To: "Ryan Slominski" <ryans(a)jlab.org>, "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Wednesday, August 8, 2018 7:23:54 PM
Subject: Re: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost
Hi Ryan,
Is your Wildfly (not Keycloak) behind a reverse proxy?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Wed, 2018-08-08 at 16:34 -0400, Ryan Slominski wrote:
> Hi Keycloak Users,
> I'm attempting to setup a Wildfly application as a client to Keycloak and an issue I'm seeing is that if I navigate my web browser to a protected resource I am redirected to Keycloak as expected, but the return URL (redirect_uri parameter) is to localhost, not back to my actual hostname, say "myserver.example.com". This breaks the process with the Keycloak error "Invalid parameter: redirect_uri". How do I configure the Wildfly client adapter to generate a redirect_uri to my actual hostname instead of to localhost? When I browse my Wildfly application on unprotected pages I'm using the actual hostname already. In Wildfly standalone.xml I've set inet-address for public to 0.0.0.0 to replace 127.0.0.1. I've also updated the host element default-host alias to match myserver.example.com to replace "localhost". Neither of those changes made a difference.
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
6 years, 5 months
Block login attempt from specific role
by Andreas Kull
I have one realm which contains two clients A1, A2 and two roles R1, R2.
R1 can access A1 and A2
R2 should only be able to access A2
Is it possible way to disallow the login of R2 in A1 directly on the
Keycloak login page?
6 years, 5 months
Extend user account console
by Daicy Duarte
Hi!
What is the best way to extend the account console?
We need to add a new page where the user can manage other credentials, example U2F.
Is it possible? What do you recommend?
Thanks in advance
Daicy
6 years, 5 months
Is keycloak the tool I'm looking for? selective AD user sync
by jlord87@gmail.com
Hello guys,
I'm really new to keycloak and I need your help to understand if this
is what I'm really looking for;
I am the IT administrator in a non-profit environment, managing servers
and services for several non-profit organization.
What I'm trying to achive is the centralization of the authentication
and authorization process: every user should just have one password and
one "username".
The difficult part is that the environment I work in is really "fluid":
there are a lot of person working or volunteering in one or more
different organization. Every organization has its own active directory
server (to manage desktop authentication and some CIFS share), its own
gsuite (for emails) and at the same time, there are services shared by
all (or some) of these organization (like a redmine ticketing system,
nextcloud file server and so on).
What I'm dreaming of is to manage everything from a single software (I
tried gluu but it had some annual fees we cannot afford to pay): I
would like to create an user (something like name.surname) and add to
this user "permissions", something like "user1 should be able to access
gsuite 1, gsuite2, nextcloud and active directory 1".
I've uploaded a scheme in this pdf:
https://mega.nz/#!z4InTCaa!ngyWks8yoN7rrW-NR6RXnPJ32tCKSz0snWB1c7lFEbg
Do you think keycloak is capable of this? I played around a bit, read a
lot of documentation and what I wasn't able to achive was a selective
active directory user sync...
Maybe my error was trying to do everything in the same realm, what do
you think about it?
Thank you for any hint
Francesco
6 years, 5 months
