Re: [keycloak-user] Keycloak Identity provider SAML LogoutRequest not working with NetIQ Access Manager because it is not signed?
by Edgar Vonk - Info.nl
Hey Hans,
Indeed. You are right. We configured signing of AuthnRequests (and as you found out LogoutRequests) in Keycloak and configured our certificate on the NetIQ side and now both authentication and logging out works. :-) Thanks!
> Hey Ed,
>
> Ouch, bad NetIQ :-( apparently it considers the signature on the request
> as something unexpected, which it really shouldn't...
> However, you should be able to configure the signing certificate of
> Keycloak on the NetIQ side (which you needed to do anyway for the
> validation of the Logout requests) and make it "require" or "expect" signed
> authentication requests from the Keycloak SP.
>
> Hans.
5 years, 11 months
Enable X.509 Client Certificate User Authentication only to specific realm
by roberto palmarin
Hi, my goal is to have services that authenticate with user and password and services that authenticate with X509 certificate.
Moreover, if I am authenticated with the certificate, I no longer have to authenticate with username and password.
I have seen that the SAML parameter authnContextClassRef is not supported by kexcloak, which would allow to force the authentication method!
I then tried to create new realms and use one realm for authentication with username/password and the other realm for X509 mutual authentication.
The question is how can I disable X509 mutual authentication for a realm on keycloak? the configuration for mutual authentication is at the wildfly level and not at the realm level nor at the client keycloak level.
is it possible to have the correct value of authnContextClassRef in the keycloak SAML response?
Thank'sRoberto Palmarin
5 years, 11 months
keycloak adapter for elytron
by Zahradnik, Milan
Hi,
I am new on this forum so please forgive me any mistakes I make.
We have a strange issue with keycloak and wildfly Elytron. We use wildfly
15.0.0. After installing keycloak (4.8.3) adapter for wildfly 10 and more
(adapter-elytron-install-offline.cli) we always get exception "Not allowed
exception" when we send request to our endpoint (stateless EJB bean). In
our access token we have all necessary roles which are then applied on
endpoint in @RolesAllowed("rest"). Also not working when we use
@SecurityDomain("keycloak") with EJB.
The strange is when we install keycloak adapter for older wildfly versions
(adapter-install-offline.cli) everything works as expected.
The same issue is here
http://lists.jboss.org/pipermail/keycloak-user/2018-August/015297.html
Does anybody of you any idea what could be an issue here?
Thanks for any help
Milan Zahradnik
5 years, 11 months
Re: [keycloak-user] keycloak-user Digest, Vol 61, Issue 39
by Hans Zandbelt
Hey Ed,
Ouch, bad NetIQ :-( apparently it considers the signature on the request as
something unexpected, which it really shouldn't...
However, you should be able to configure the signing certificate of
Keycloak on the NetIQ side (which you needed to do anyway for the
validation of the Logout requests) and make it "require" or "expect" signed
authentication requests from the Keycloak SP.
Hans.
On Mon, Jan 28, 2019 at 9:11 PM <keycloak-user-request(a)lists.jboss.org>
wrote:
>
> ------------------------------
>
> Message: 3
> Date: Mon, 28 Jan 2019 16:16:20 +0000
> From: "Edgar Vonk - Info.nl" <Edgar(a)info.nl>
> Subject: Re: [keycloak-user] Keycloak Identity provider SAML
> LogoutRequest not working with NetIQ Access Manager because it is
> not
> signed?
> To: keycloak-user <keycloak-user(a)lists.jboss.org>
> Message-ID: <B72F6570-E06C-4292-969D-0B0359230CA4(a)info.nl>
> Content-Type: text/plain; charset="utf-8"
>
> Thanks Hans! :-)
>
> Unfortunately with "Want AuthnRequests Signed? enabled we can no longer
> log in to the external IdP.. I will check with the NetIQ provider people to
> check.
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 28 Jan 2019 14:51:26 -0200
> From: Wagner <wagnerspi(a)gmail.com>
> Subject: [keycloak-user] Keycloak integration with django
> To: keycloak-user(a)lists.jboss.org
> Message-ID:
> <CAO0ino=
> wK-opo1H7cc4XgH5U012jN2eCUvvE8_6qoFv+ZKQ5MA(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi there,
>
> I've been looking for ways to integrate keycloak with django, and have
> found the django-keycloak project, but the docs are kind of limited.
>
> Can anyone point me in the direction of integrating it with an existing
> django project? I don't want to use the django admin web interface to
> configure it, but haven't found any other way to do so.
>
> Thanks,
> Wagner
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 28 Jan 2019 13:04:58 -0500
> From: Nhut Thai Le <ntle(a)castortech.com>
> Subject: [keycloak-user] OsgiJaxrsBearerTokenFilterImpl init resolver
> class on every request
> To: keycloak-user <keycloak-user(a)lists.jboss.org>
> Message-ID:
> <CAJVRZt9SmNO0jmt9jAFMB9eD+ZMSjJij+=EO1j7F=
> iE6nGV0JQ(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hello,
>
> We are using OsgiJaxrsBearerTokenFilterImpl of keycloak 4.6 in our OSGI env
> to filter requests to our REST service as follow:
>
> @Component(
> service = {
> ContainerRequestFilter.class,
> ContainerResponseFilter.class
> },
> scope = ServiceScope.PROTOTYPE,
> property = {
> "osgi.jaxrs.extension=true",
> JAX_RS_NAME + "=DiagramRestFilter",
> DiagramConstants.REST_APP_SELECT
> }
> )
> @PreMatching
> @Priority(Priorities.AUTHENTICATION)
> public final class DiagramRestFilter extends OsgiJaxrsBearerTokenFilterImpl
> implements ContainerResponseFilter {
> private static final String REFERER_HEADER = "Referer"; //$NON-NLS-1$
> private static final String UTF_8_CHARSET = "UTF-8"; //$NON-NLS-1$
> private final Logger log = LoggerFactory.getLogger(getClass());
>
> @Reference
> private SessionService sessionService;
>
> @Activate
> public void activate(BundleContext bundleContext) {
> log.trace("Activating {}", getClass()); //$NON-NLS-1$
>
> setKeycloakConfigResolverClass("com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver");
> //$NON-NLS-1$
> setBundleContext(bundleContext);
> }
>
> As you can see, we set the filter scope to Prototype as recommended by OSGI
> compedium (
> https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#d0e133685
> )
> but we see a lot of the following line got printed when the server started
> INFO: Using
>
> com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver@738e48f7
> to resolve Keycloak configuration on a per-request basis.
>
> Does that means the config resolver is being instantiate for each request ?
> Since the the configuration never change, would it make sense to
> instantiate this config resolver only once?
>
> Thai Le
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 28 Jan 2019 21:00:02 +0100
> From: Marek Posolda <mposolda(a)redhat.com>
> Subject: Re: [keycloak-user] User sessions in DB
> To: Lukasz Lech <l.lech(a)ringler.ch>, "keycloak-user(a)lists.jboss.org"
> <keycloak-user(a)lists.jboss.org>
> Message-ID: <1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01(a)redhat.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 28/01/2019 16:30, Lukasz Lech wrote:
> > Hello,
> >
> > I'm using Keycloak docker image for 4.8.1
> >
> > I have logged in users, but in DB, I see no entries in user_session.
> That is expected. The USER_SESSION table is probably something like a
> tombstone of some previous implementation. User sessions are not saved
> in the DB.
> >
> > Additionally, after some time server run, I've got NPE in
> RealmAdminResource.getClientSessionStats:614 when trying to navigate to
> Sessions position in Menu in Admin Console.
>
> Looks like a bug. Feel free to create JIRA (with stacktrace and ideally
> exact steps to reproduce).
>
> Thanks,
> Marek
>
> >
> > Are there any issues with JPA cache?
> >
> > Best regards,
> > Lukasz Lech
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 28 Jan 2019 21:07:05 +0100
> From: Marek Posolda <mposolda(a)redhat.com>
> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
> not in Active Directory domain
> To: Dmitry Telegin <dt(a)acutus.pro>, Chris Smith
> <chris.smith(a)cmfirstgroup.com>, "keycloak-user(a)lists.jboss.org"
> <keycloak-user(a)lists.jboss.org>
> Message-ID: <8eb89cb9-f64f-c9c9-a681-4f2a775eaf67(a)redhat.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> +1
>
> GSSCredential is used just during SPNEGO authentication. You may
> possibly change the built-in authentication flows or userStorage
> provider, so that after verification with username/password, the
> GSSCredential will be somehow obtained from the JAAS Subject used for
> the authentication (See class KerberosUsernamePasswordAuthenticator for
> the details).
>
> However I am not sure if this is really possible and it will require
> some more deep-dive into the Keycloak codebase and Kerberos
> implementation in JDK... Just a hint...
>
> Marek
>
> On 28/01/2019 07:21, Dmitry Telegin wrote:
> > Hello Chris,
> >
> > AFAIK GSSCredential is something very specific to Kerberos, so I'm not
> sure it's possible at all to obtain it outside of Kerberos context, like
> e.g. via pure LDAP authentication.
> >
> > Cheers,
> > Dmitry
> >
> > On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
> >> Does anyone have feedback about getting a delegated GSSCredential?
> >>
> >> -----Original Message-----
> >>> From: keycloak-user-bounces(a)lists.jboss.org <
> keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith
> >> Sent: Wednesday, January 23, 2019 10:12 PM
> >> To: keycloak-user(a)lists.jboss.org
> >> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
> not in Active Directory domain
> >>
> >> Here is a Diagram of what I'm trying to do
> >>
> >> From: Chris Smith
> >> Sent: Wednesday, January 23, 2019 8:08 AM
> >>>> To: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org>
> >> Subject: Get a GSSCredential when user browser is not in Active
> Directory domain
> >>
> >> I have setup my servlet to authenticate a user my web app using
> Keycloak Active Directory ldap user federation
> >>
> >> I can get a Delegated GSSCredential when the SPNEGO enabled
> browser??runs on a workstation in the AD domain.
> >> When the browser workstation is not a member of the AD Domain, Keycloak
> will authenticate the user id and password entered on the keycloak login
> page, but there will not be a Delegated GSSCredential in the Access Token
> in my servlet.
> >>
> >> I have a requirement to use the GSSCredential to call programs on an
> IBM i (AS/400) and JDBC to the IBM i.??My IBM i is configured to accept a
> Kerberos Ticket from Active Directory as an authenticated credential (aka
> EIM, Enterprise Identity Mapping).
> >>
> >> Less than 1% of the users will be using browsers on workstations in the
> Active Directory domain.
> >>
> >> Can Keycloak put a GSSCredential for the logged in user??in the Access
> Token when SPNEGO is not available from the browser?
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 61, Issue 39
> *********************************************
>
--
hans.zandbelt(a)zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
5 years, 11 months
OsgiJaxrsBearerTokenFilterImpl init resolver class on every request
by Nhut Thai Le
Hello,
We are using OsgiJaxrsBearerTokenFilterImpl of keycloak 4.6 in our OSGI env
to filter requests to our REST service as follow:
@Component(
service = {
ContainerRequestFilter.class,
ContainerResponseFilter.class
},
scope = ServiceScope.PROTOTYPE,
property = {
"osgi.jaxrs.extension=true",
JAX_RS_NAME + "=DiagramRestFilter",
DiagramConstants.REST_APP_SELECT
}
)
@PreMatching
@Priority(Priorities.AUTHENTICATION)
public final class DiagramRestFilter extends OsgiJaxrsBearerTokenFilterImpl
implements ContainerResponseFilter {
private static final String REFERER_HEADER = "Referer"; //$NON-NLS-1$
private static final String UTF_8_CHARSET = "UTF-8"; //$NON-NLS-1$
private final Logger log = LoggerFactory.getLogger(getClass());
@Reference
private SessionService sessionService;
@Activate
public void activate(BundleContext bundleContext) {
log.trace("Activating {}", getClass()); //$NON-NLS-1$
setKeycloakConfigResolverClass("com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver");
//$NON-NLS-1$
setBundleContext(bundleContext);
}
As you can see, we set the filter scope to Prototype as recommended by OSGI
compedium (
https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#d0e133685)
but we see a lot of the following line got printed when the server started
INFO: Using
com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver@738e48f7
to resolve Keycloak configuration on a per-request basis.
Does that means the config resolver is being instantiate for each request ?
Since the the configuration never change, would it make sense to
instantiate this config resolver only once?
Thai Le
5 years, 11 months
Keycloak integration with django
by Wagner
Hi there,
I've been looking for ways to integrate keycloak with django, and have
found the django-keycloak project, but the docs are kind of limited.
Can anyone point me in the direction of integrating it with an existing
django project? I don't want to use the django admin web interface to
configure it, but haven't found any other way to do so.
Thanks,
Wagner
5 years, 11 months
Keycloak Identity provider SAML LogoutRequest not working with NetIQ Access Manager because it is not signed?
by Edgar Vonk - Info.nl
hi all,
We are trying to set up Keycloak to act as a federated identity provider between our (OAuth2-enabled) application and the external SAML 2.0-enabled NetIQ Acces Manager identity provider using: https://www.keycloak.org/docs/latest/server_admin/index.html#saml-v2-0-id...
The basic setup including authentication works fine. However logging out does not. When attempting to logout from our application Keycloak sends a SAML LogoutRequest to NetIQ Access Manager but NetIQ does not accept this request because, from what we understand from NetIQ, this request is not signed.
It seems that Keycloak does not support sending signed LogoutRequests from SAML Identity Providers? Is this indeed the case and how could we go about solving this? Maybe create a custom IdentityProvider or possibly send a SAML LogoutRequest to NetIQ from our application directly?
Example of SAML LogoutRequest send by Keycloak:
<samlp:LogoutRequest Destination="https://dummyhost.net/nidp/saml2/slo"
ID="ID_7b7e1700-235b-403d-af08-a0c77dd7f26d" IssueInstant="2019-01-28T10:43:56.896Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/auth/realms/our-realm</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">00001234</saml:NameID>
<samlp:SessionIndex>id05SkNYJwvT2uGPaCu5PvQvT5Dmg</samlp:SessionIndex>
</samlp:LogoutRequest>
I am no expert on SAML at all but this is from the SAML 2.0 specs (https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profil...):
4.4.4.1 <LogoutRequest> Usage:
"The requester MUST authenticate itself to the responder and ensure message integrity, either by signing the message or using a binding-specific mechanism.”
Should Keycloak not support signing SAML LogoutRequests?
cheers
Edgar
5 years, 11 months
