Get a GSSCredential when user browser is not in Active Directory domain
by Chris Smith
I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation
I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a workstation in the AD domain.
When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.
I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
Less than 1% of the users will be using browsers on workstations in the Active Directory domain.
Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO is not available from the browser?
5 years, 11 months
Switching to Native JavaScript promise by default
by Stian Thorgersen
I would like to switch the JavaScript adapter to use Native promises by
default and deprecate the legacy promise with the aim to remove it in the
future.
This would result in users that want to continue to use the legacy promise
having to explicitly enable this in the config.
I see this as the best path to eventually remove the legacy promises.
5 years, 11 months
Role Mappings on Subsequent Logons
by Will Osborn
Hi,
I have setup a keycloak server and using an identity provider successfully setup SSO with claims to role mappings. Is there any way to allow subsequent logons to recheck the claims and reapply the role mappings so if they change in the identity provide system those changes are passed through to Keycloak?
Thanks
Will
[/var/folders/zg/5xxh34t177b013xm4c89lzw00000gp/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/AeG8I8l0vp2nAAAAABJRU5ErkJggg==]
Will Osborn | Head of delivery
Phone +44 203 9301640
VAKT Global Ltd, Floor 24
1 Canada Square,
London, E14 5AB
Disclaimer: This e-mail and any attachment may contain information that is privileged or confidential. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail.
Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment.
VAKT Global Limited is registered in England and Wales under the Company Number 11295972. Its registered office is Floor 24, 1 Canada Square, London, E14 5AB.
5 years, 11 months
Getting timestamp from EVENT_ENTITY
by Edmund Loh
The EVENT_TIME column in the EVENT_ENTITY table is stored as datatype
NUMBER(38,0). How can I go about converting this to a timestamp through the
use of SQL statements?
5 years, 11 months
Customize saml response
by Pulkit Srivastava
Hi,
I am using as external idp with keycloak. External idp sends SAML response
to keycloak but keycloak modifies that response before sending it to the
application, so i am unable to get some important attributes. How can we
stop keycloak from modifying the response or how can we customize the
response.
Thanks,
Pulkit
5 years, 11 months
[spring-boot-adapter] get token/principal/etc.
by Pavel Maslov
Hi, guys. Haven't been here for quite a while :)
I'm using the Springboot Keycloak adapter
(org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to secure my REST
API via bearer token [1]. And it works! Cool.
Now, I would like to get the access token in my @RestController, or even
better some information about the user. Is it possible?
Thanks in advance.
Regards,
Pavel Maslov, MS
[1] https://github.com/maslick/barkoder
5 years, 11 months
Showing error messages originating from external identity providers
by Guy Marom
Hello all,
First of - thanks for developing this. The product is very useful for us!
Second, I wanted to ask about external identity providers. We have an
integration with *Azure Active Directory* and I configured an app in Azure
that does not allow all users to use it by default, instead I need to
assign a user to the app.
When I try to login to Keycloak with a user that's unauthorized, I get
redirected to Keycloak's login page with no error message shown.
Is there a way to fix this (other than editing the HTML template of the
login page)?
Thanks,
Guy Marom
5 years, 11 months
Send email on creating new user
by Pavel Maslov
Hi all,
When I manually create a new user from the Keycloak Admin Console (UI), can
Keycloak automatically send an email to that person?
>From what I can see now the user does not know that I have created an
account, unless I inform them (e.g. by email).
Regards,
Pavel Maslov, MS
5 years, 11 months
Add optional LDAP userPassword hashing
by BOUVIER Jean-Damien
Hi all !
My problem is described in the KEYCLOAK-4989 issue, titled < add optional LDAP userPassword hashing >
I'm in the worst case scenario as I use OpenLDAP that doesn't hash password by default and the way it has been installed, I don't have the < ppolicy overlay > available.
So Keycloak sends password in clear text and I thought that I could add specific OpenLDAP configuration to hash the password before.
The LDAP administration has already some specific configuration for AD and I thought that I could start from here. (org.keycloak.storage.ldap.mappers.msad. MSADUserAccountControlStorageMapperFactory for example)
So, I've written my own StorageMapperFactory :
public class OpenLDAPUserAccountControlStorageMapperFactory implements LDAPStorageMapperFactory<LDAPStorageMapper>
That needs these dependencies :
<dependencies>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-core</artifactId>
<version>${version.keycloak}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-services</artifactId>
<version>${version.keycloak}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-server-spi</artifactId>
<version>${version.keycloak}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-ldap-federation</artifactId>
<version>${version.keycloak}</version>
<scope>provided</scope>
</dependency>
</dependencies>
But whenever I try to deploy the jar, I get :
cat hash-password-openldap-provider.jar.failed
{"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"hash-password-openldap-provider.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"hash-password-openldap-provider.jar\"
Caused by: java.lang.NoClassDefFoundError: Failed to link fr/calvados/keycloak/storage/ldap/mappers/openldap/OpenLDAPUserAccountControlStorageMapperFactory (Module \"deployment.hash-password-openldap-provider.jar\" from Service Module Loader): org/keycloak/storage/ldap/mappers/LDAPStorageMapperFactory"}}
I probably lack one dependence but I can't find which one as the error message doesn't give a clue and my maven project compiles.
Could you help me to find out what is wrong ?
Regards,
Jean-Damien Bouvier
<a href="http://www.calvados.fr" target="_blank"><img src="https://www.calvados.fr/files/live/sites/calvados/files/signature-departe..." alt="Calvados Département - www.calvados.fr" border=0/></a>
**************************************************************************************************
« Cette transmission contient des informations confidentielles et/ou personnelles
appartenant au conseil départemental du Calvados pour être utilisées exclusivement par le
destinataire. Toute utilisation, reproduction, publication, diffusion en l'état ou
partiellement par une autre personne que le destinataire est interdite, sauf autorisation
expresse du conseil départemental du Calvados. En cas d'erreur de transmission, merci de
détruire le(s) document(s) reçu(s). Le conseil départemental du Calvados n'est pas
responsable des virus, altérations, falsifications.
Droits réservés - conseil départemental du Calvados».
**************************************************************************************************
5 years, 11 months
