Re: [keycloak-user] Keycloak Identity provider SAML LogoutRequest not working with NetIQ Access Manager because it is not signed?
by Hans Zandbelt
Hi Ed :-),
>From a quick peek at the code [1] it looks like Keycloak re-uses the
per-identity provider setting for signing authentication requests for the
logout requests as well. By setting "Want AuthnRequests Signed" in the
configuration for NetIQ Keycloak should start signing the logout requests
as well.
I believe you are right that the spec requires sending signed logout
requests when using the POST binding.
Let me know if that works,
Hans.
[1]
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
On Mon, Jan 28, 2019 at 12:41 PM <keycloak-user-request(a)lists.jboss.org>
wrote:
> ------------------------------
>
> Message: 2
> Date: Mon, 28 Jan 2019 11:10:53 +0000
> From: "Edgar Vonk - Info.nl" <Edgar(a)info.nl>
> Subject: [keycloak-user] Keycloak Identity provider SAML LogoutRequest
> not working with NetIQ Access Manager because it is not signed?
> To: keycloak-user <keycloak-user(a)lists.jboss.org>
> Message-ID: <82603569-9670-44FD-8D01-9BA5F1998CEF(a)info.nl>
> Content-Type: text/plain; charset="utf-8"
>
> hi all,
>
> We are trying to set up Keycloak to act as a federated identity provider
> between our (OAuth2-enabled) application and the external SAML 2.0-enabled
> NetIQ Acces Manager identity provider using:
> https://www.keycloak.org/docs/latest/server_admin/index.html#saml-v2-0-id...
>
> The basic setup including authentication works fine. However logging out
> does not. When attempting to logout from our application Keycloak sends a
> SAML LogoutRequest to NetIQ Access Manager but NetIQ does not accept this
> request because, from what we understand from NetIQ, this request is not
> signed.
>
> It seems that Keycloak does not support sending signed LogoutRequests from
> SAML Identity Providers? Is this indeed the case and how could we go about
> solving this? Maybe create a custom IdentityProvider or possibly send a
> SAML LogoutRequest to NetIQ from our application directly?
>
> Example of SAML LogoutRequest send by Keycloak:
>
> <samlp:LogoutRequest Destination="https://dummyhost.net/nidp/saml2/slo"
> ID="ID_7b7e1700-235b-403d-af08-a0c77dd7f26d"
> IssueInstant="2019-01-28T10:43:56.896Z" Version="2.0"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
> http://localhost:8080/auth/realms/our-realm</saml:Issuer>
> <saml:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">00001234</saml:NameID>
> <samlp:SessionIndex>id05SkNYJwvT2uGPaCu5PvQvT5Dmg</samlp:SessionIndex>
> </samlp:LogoutRequest>
>
>
> I am no expert on SAML at all but this is from the SAML 2.0 specs (
> https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profil...
> ):
>
> 4.4.4.1 <LogoutRequest> Usage:
> "The requester MUST authenticate itself to the responder and ensure
> message integrity, either by signing the message or using a
> binding-specific mechanism.?
>
> Should Keycloak not support signing SAML LogoutRequests?
>
> cheers
>
> Edgar
>
>
--
hans.zandbelt(a)zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
5 years, 11 months
FW: Get a GSSCredential when user browser is not in Active Directory domain
by Chris Smith
Thank you Dmitry
My Keycloak realm is setup for LDAP/Kerberos authentication with a Windows Active Directory domain.
So I am getting a delegated GSSCredential in my AccessToken when I access my Web App from a properly configured browser (SPNEGO) on a workstation in the Windows Active Directory Domain.
If the browser is not configured for SPNEGO or the workstation is not a member of the Windows Active Directory Domain, The browser is redirected to the Keycloak log in page After entering a correct user and password, the browser is redirected back to the Web App.
This step is what I need to successfully authenticate a Windows AD User ID/password combination and it works.
My problem is there is no claim in the AccessToken for a GSSCredential.
I have an absolute requirement for a GSSCredential for that Windows AD User ID/Password.
The GSSCredential is to be used in the web app to connect to an IBM i (aka AS/400) for calling RPG and COBOL programs.
The IBM i is Configured to accept the GSSCredential and it works when the workstation is a member of the Windows AD domain and the browser is configured for SPNEGO.
Can Keycloak be configured to put a GSSCredential in the AccessToken when Keycloak authenticates the Windows AD User id/Password?
If not, would it be a large effort to add a plugin that would put a GSSCredential in the AccessToken?
-----Original Message-----
From: Dmitry Telegin <dt(a)acutus.pro>
Sent: Monday, January 28, 2019 2:21 PM
To: Chris Smith <chris.smith(a)cmfirstgroup.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
Hello Chris,
AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication.
Cheers,
Dmitry
On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
> Does anyone have feedback about getting a delegated GSSCredential?
>
> -----Original Message-----
> > From: keycloak-user-bounces(a)lists.jboss.org
> > <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith
> Sent: Wednesday, January 23, 2019 10:12 PM
> To: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
> not in Active Directory domain
>
> Here is a Diagram of what I'm trying to do
>
> From: Chris Smith
> Sent: Wednesday, January 23, 2019 8:08 AM
> > > To: 'keycloak-user(a)lists.jboss.org'
> > > <keycloak-user(a)lists.jboss.org>
> Subject: Get a GSSCredential when user browser is not in Active
> Directory domain
>
> I have setup my servlet to authenticate a user my web app using
> Keycloak Active Directory ldap user federation
>
> I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a workstation in the AD domain.
> When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.
>
> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
>
> Less than 1% of the users will be using browsers on workstations in the Active Directory domain.
>
> Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO is not available from the browser?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
5 years, 11 months
Server Admin: Ship master realm with ssl disabled / set to none
by Bruce Wings
I am using reverse proxy with keycloak server which is SSL protected. I
have also shipped default configuration for my custom realm with SSL set to
"none". But what is the way to ship master realm with ssl set to none? By
default it's getting shipped with ssl set to "external requests"
5 years, 11 months
SAML SSO logout invalid destination error
by Martin Duží
Hello,
our team is using SAML SSO via Keycloak with several 3rd party applications.
After updating Keycloak version from 4.2.1 to 4.8.2, we started having
problem with logout from JFrog Artifactory, which ends up on page "We're
sorry ... Invalid Request".
Keycloak prints following error in server.log:
2019-01-18 19:02:44,198 WARN [org.keycloak.events] (default task-1)
type=LOGOUT_ERROR, realmId=fea322ef-a93e-c7db-aa08-c4eea81b38ff,
clientId=null, userId=null, ipAddress=(null), error=invalid_logout_request,
reason=invalid_destination
Which seems to indicate problem with destination attribute in logout
request and it is indeed missing from the xml sent by Artifactory:
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
ID="add9d022-12da-40a2-80bd-f1d5b042a595"
IssueInstant="2019-01-18T07:23:50.822Z" Version="2.0"><saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">artifactory.example.com</saml2:Issuer><saml2:NameID
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">logout
user</saml2:NameID><saml2p:SessionIndex>a8ec478f-a05c-4feb-8ec2-4dd9015eabe9::37dcf7a4-0a11-4cfe-9a23-6d4d3cd4e9e0</saml2p:SessionIndex></saml2p:LogoutRequest>
Looking at SAML specs and also recent code changes in Keycloak, destination
should be optional. Client Signature Required is turned off. Other
applications that actually send destination attribute can logout without
issues.
Anyone has idea what could be the problem here?
BR
Martin Duzi
5 years, 11 months
Adding multiple custom REST endpoints
by Walker, Charles
The documentation states that if you want to add a custom endpoint, you
need to implement the RealmResourceProviderFactory and
RealmResourceProvider interfaces. Then the examples show that you create
an "org.keycloak.services.resource.RealmResourceProviderFactory" file in
the "META-INF/services" directory that references the implementation.
But what if I want to have multiple implementations? would these
implementations be just listed in the above file
"org.keycloak.services.resource.RealmResourceProviderFactory" as comma
separated, space separated or what?
Thanks for your help,
Charles Walker
5 years, 11 months
adding translations to theme leads to NullPointerException
by Eugen Stan
Hello,
We have translated keycloak into multiple languages, available at [1].
I've copied those translations into our custom theme and build the
docker image.
I updated the iimage and it fails to start with the following exception.
Just the files being there causes the above exception.
Any ideas how to fix this ?
Regards,
```
15:47:17,655 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-6) Failed to create error page: java.lang.NullPointerException
at
org.keycloak.theme.ExtendingThemeManager.loadTheme(ExtendingThemeManager.java:117)
at
org.keycloak.theme.ExtendingThemeManager.getTheme(ExtendingThemeManager.java:95)
at
org.keycloak.theme.DefaultThemeManager.getTheme(DefaultThemeManager.java:26)
at
org.keycloak.theme.DefaultThemeManager.getTheme(DefaultThemeManager.java:21)
at
org.keycloak.services.error.KeycloakErrorHandler.toResponse(KeycloakErrorHandler.java:71)
at
org.jboss.resteasy.core.ExceptionHandler.executeExceptionMapper(ExceptionHandler.java:102)
at
org.jboss.resteasy.core.ExceptionHandler.unwrapException(ExceptionHandler.java:131)
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:197)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:459)
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
````
[1] https://github.com/GreatPeopleInside/keycloak
5 years, 11 months
SAML on Tomcat using keyclaok .
by Sandeep Muddamsetty
Hi ,
We have an requirement to implement SSO on Tomcat . After referring to many blogs and threads we came to know that here is no direct solution in Tomcat like other application servers like WebLogic and WebSphere . And few blogs suggested Key cloak but not full documentation . Can any one help on this to implement SSO on tomcat using Keycloak with guidance or any documentation .
Thanks ,
Sandeep .
This e-mail message and any files transmitted with it may contain confidential and proprietary information and are intended solely for the use of the individual or entity to which they are addressed. Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you have received this e-mail in error please notify the sender by reply email and destroy all copies of the original message. Thank you for your cooperation.
5 years, 11 months
Changing the link in emails sent
by Edmund Loh
Hi
In my current implementation, my application makes an api call to
Keycloak's REST API to send an email to alert the user to reset their
password.
The URL in the email would look like this:
http://<internal ip address and
port>/auth/realms/MyRealm/login-actions/action-token?key=...
However, since it is an internal address, the user is enable to access it
from his environment. I need the URL in the email to be using an external
address instead. Is there a way this can be done?
https://<external
address>/auth/realms/MyRealm/login-actions/action-token?key=...
5 years, 11 months
reverse proxy nginx before keycloak
by Greet Robijns
Hi,
I am having some trouble configuring my nginx server before my keycloak
server. I read the documentation at:
https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
.
The problem is that the layout files are not loading and after logging in,
the redirection is incorrect: it goes to /auth/.... instead of
/test/aa/auth.
I am really stuck here? Should I change something in my keycloak
configuration?
my nginx:
worker_processes 1;
events { worker_connections 1024; }
http {
sendfile on;
server {
listen 8080;
location /test/aa/ {
resolver 127.0.0.11;
proxy_pass http://mc:4000/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
}
}
}
Kind Regards,
Greet Robijns
5 years, 11 months
