LDAP user group membership not syncing
by Luiz Carlos
Hi everyone
I'm trying to sync the LDAP groups into Keycloak but it doesn't update the
membership if I add or remove it from a group in LDAP.
I was able to sync the groups and its users into Keycloak correctly if
those wasn't provisioned before. For example, if the user already exists in
Keycloak DB (provisioned from LDAP) and I remove it from a LDAP group (also
provisioned from LDAP), the user in Keycloak continues to being a member of
the group in the Groups tab of user's details screen and in client's group
mappers. However, if I open the Members tab of group's details screen the
user was removed from the group.
Is there any way to solve this problem? Because of my company policy I
can't use Keycloak to manage the groups.
I'm using Keycloak 2.5.1.
Thanks for the help
--
Luiz Carlos
6 years, 1 month
Keycloak as OIDC provider to AWS ALB, any hints!
by Max Allan
Hi,
The AWS ALB will allow you to authenticate to cognito or OIDC nowadays.
I thought "Great, I can connect it up to my KeyCloak".
Sadly not. Well, I can connect it to KeyCloak and see sensible looking
headers and JWTs flowing back and forth.
And then the ALB says "500 Internal Server Error" :-(
I can see a request to keycloak (from the client) :
https://auth.care.surevine.com/auth/realms/care/protocol/openid-connect/a...
And it 302 redirects back to the ALB :
https://dev.care.surevine.com/oauth2/idpresponse?state=8sp1j3N3baPa1r%2BE...
On the KeyCloak server I can see the POST requests from the browser coming
in and hitting the authenticate URL, KC hands back a 302 (the URL above)
Then the ALB does a POST to the token endpoint and gets a 200 response with
a nice chunk of access token. I can decode it and see my details quite
happily. I even validated the signature. (Using jwt.io 's debugger.)
Although the ALB doesn't ask for the certificate at any stage, so I don't
think it even bothers validating it.
But it doesn't seem to like it. And gives me a 500 error.
(I can authenticate with Google OIDC without any trouble...)
(NB Any secrets in any of those strings won't get you very far, there is no
content yet :-) )
6 years, 1 month
SAML Token contains carriage returns (
)
by Dean Peterson
Is there a way to remove the carriage returns keycloak uses in the saml
assertion token? This is incompatible with Websphere idAssertion using
keycloak as the Identity provider. Ex, notice the 
 characters in the
content:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_a42073de-3815-4951-8db4-5d07d46dbf75"
IssueInstant="2018-09-17T05:35:29.198Z" Version="2.0"><saml:Issuer>
http://localhost:8080/auth/realms/unemployment-insurance</saml:Issuer><dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></dsig:CanonicalizationMethod><dsig:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></dsig:SignatureMethod><dsig:Reference
URI="#ID_a42073de-3815-4951-8db4-5d07d46dbf75"><dsig:Transforms><dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></dsig:Transform><dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></dsig:Transform></dsig:Transforms><dsig:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256
"></dsig:DigestMethod><dsig:DigestValue>8aoA9CDfFV8PXBnuafSS3JU/MXuGX3to93E+go9DJrk=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>UpQPIpNTXMuds8BP5a/N08sXeVMV9Bo6/gxb+rZo38tJwu9GGdrX2SeUlQUWVKRcH0qQRlWzVLfO
nvb9gbIs/qGrIRQf2nvb40ywN0V8QqCaQr8VU++2rOJGSUfByGjazopvp2WrOM0JdlD6WjeqCs27
L+fpbVKC8GGZQB+KblqQ08xJ17yN0VDxwDAk+QDwkGpioe9p6/nSZZYCIimPF8BR0TxgwCm9KZl7
ASNv+d7m6Zaarj/CnqjLG0zDWPfAdW6R5sWuRmUzHiDG3AwpOaxxLP2d5HGPCRCfmiCHMVN3EVx4
FoQg/ej8QQ1Z0fCOg/N9qRJnFxYbnjMdc1w4rw==</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyName>Ayvm2xqFD1Xb_CeLG0LbFdh2PuBAflqKnI7kCiTwqjw</dsig:KeyName><dsig:X509Data><dsig:X509Certificate>MIICuzCCAaMCBgFlsHW+ezANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZVbmVtcGxveW1lbnQg
SW5zdXJhbmNlMB4XDTE4MDkwNjE5NTUzMVoXDTI4MDkwNjE5NTcxMVowITEfMB0GA1UEAwwWVW5l
.....
6 years, 1 month
user storage ldap or keycloak
by Istvan Orban
Dear Keycloak users.
I am very new to keycloak and I really like it. it is great.
I am currently migrating a legacy app ( using it's own user management ) to
support SSO.
I have set-up keycloak with openid connect and it works very well. At this
point we need to decide
if we will use keycloak as our main user store or we will set-up an LDAP.
My question is that. Is keycloak designed in a way that it can fullfil all
the responsibilities of the main user store?
Any risk with this at all?
ps: our userbase is small and at this point I am not sure if we want to add
ldap just for this.
--
Kind Regards,
*----------------------------------------------------------------------------------------------------------------*
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *
6 years, 2 months
Authroization: Receiving "Failed to enforce policy decisions" for valid token after sometime
by Bruce Wings
Steps:
1. After obtaining a token from keycloak, I am able to
authenticate/authorize user with this token.
2. After sometime(15-20 minutes), I start receiving *"Failed to enforce
policy decisions"*. If the same token was valid a few minutes before,
shouldn't I get the "*token expired*" message instead of "*Failed to
enforce policy decisions*"?
My access token lifespan is set to 8 hours. Still I see this behavior after
just 15-20 minutes. Attached image for token expiry settings:
[image: image.png]
6 years, 2 months
Keycloak SAML tomcat adapter and correct log-out
by Leonid Rozenblyum
Hello!
I'm using a keycloak tomcat SAML adapter and I have a question related to
?GLO=true way of logging-out (since Tomcat doesn't implement full JavaEE
stack, request.logout() is not the way to go, right?).
When I use GLO=true, my session inside the Keycloak is indeed invalidated
however the local session in Tomcat is not.
When I try session.invalidate() and then redirect to GLO=true, sometimes my
protected page still can be loaded.
Is there a robust documented way to do the logout with help of Keycloak
SAML tomcat adapter?
Thanks
6 years, 2 months
Integration with OpenID provider
by Karol Buler
Hi,
I am trying to add Identity Broker based on OpenID Connect to my
Keycloak. Everything is fine, redirecting to login page is working,
but... always is "but" :) I've got error in Keycloak:
org.keycloak.broker.provider.IdentityBrokerException: No access_token
from server.
What I found is that the Keycloak doesn't send the "Authorization"
header in request "code-to-token". Is it bug/feature or am I missing
some configuration?
Best regards,
Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.
6 years, 2 months
Can KeyCloak support Multi-lateral SAML federation?
by Chris Phillips
Hi.
I’m going through assessing KeyCloak as being able to be an Identity Provider in a multi-lateral SAML federation context and am seeking insight from the users and devs involved in KeyCloak.
For an IdP to be considered interoperable in a multi-lateral SAML trust federation context, IdPs need to be able to do a base set of functions. These are some of the critical (but not only) ones:
* Retrieve, with a configurable frequency (usually hourly), an online metadata aggregate
* validate the signature on the aggregate
* when signature validity is verified, load all the entities (Identity Providers/Service Providers) to be trusted or used in trust decisions in the Identity Provider.
I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could be missing something.
Is anyone using KeyCloak in this manner or are there plans for this functionality on KeyCloak’s technical roadmap?
Some additional items to decorate my ask for information..
To give an idea of scale, the aggregates I want to work with have ~4500 entities with 2800 IdPs and 2100 SPs and need to be refreshed hourly.
The list of items important for interoperability can be seen here with the ones I called out above appearing in section 2.2.1:
https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html
I’ve searched the keycloak-users list a bit and came across the reference to EntitiesDescriptor which lead me to this issue and code update in KeyCloak: https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to think that the support for reading in aggregates is not possible and maybe engineered out of the product itself. Am I right in thinking that?
Thoughts and insights welcome..
Chris.
___________________________________________________________________________________________
Chris Phillips
Technical Architect, Canadian Access Federation, CANARIE| chris.phillips(a)canarie.ca<mailto:chris.phillips@canarie.ca> |GPG: 0x7F6245580380811D
6 years, 2 months
SAML RSAKeyValue causing error
by Dean Peterson
I am having trouble using Keycloak as the external provider to our
Websphere Application. I received the following response from IBM support:
I discussed the issue with our SAML SSO SME. He found in SAML token,
besides X509Certificate, it also contains RSAKeyValue (<dsig:RSAKeyValue>).
This document states:
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websp...
.
RSAKeyValue is supported for the KeyInfo element in a Signature. However,
the X.509 certificate is not available when using RSAKeyValue. When the
X.509 certificate is not available to the runtime, the signer of the SAML
Assertion cannot be checked against a truststore. If you want to receive
SAML Assertions that use RSAKeyValue you cannot configure the runtime to
use a truststore.
.
Can you config the idP so that it only sends X509 certificate, not RSAKey?
Is it possible to remove the RSAKeyValue from the saml token and still send
just the certificate?
6 years, 2 months
Keycloak Docker Quickstart
by Piergiorgio Lucidi
Hi,
I have just published a first version of a generic Keycloak SDK based on
Docker fully managed by Maven. I would like to understand if this first
work can be useful for the current Keycloak development.
I'm also interested to know if there are developers interested to
contribute in this project.
Article link:
https://www.open4dev.com/journal/2018/9/25/introducing-the-keycloak-docke...
Github:
https://github.com/OpenPj/keycloak-docker-quickstart
I'm wondering if this project can be improved as a Maven Archetype with
dynamic parameters for generating components only if needed by developers.
I mean without having all the Maven modules for components that you don't
need to extend or create.
Please let me know what you think and how this project can be extended to
become more helpful for the overall community.
Thank you and hope this helps.
Cheers,
PJ
--
Piergiorgio Lucidi
https://www.open4dev.com
6 years, 2 months
