unsubscribe
by Sebastian Perkins - Hoist Group - Switzerland
6 years
Keycloak-SAML server integration
by pavlos kaimakis
Hello,
Currently I’m using keycloak as an IDP connected to an Active Directory server and some bespoke tool I’ve created as an SP (Keycloak client) and everything works as expected. I recently got a request to use SAML for authentication purposes I was thinking if I could use Keycloak as an Identity broker (instead of changing my code to be able to integrate it with the SAML server right away)
So the flow would be ‘my_tool (keycloak client)’ -> Keycloak -> Saml Server -> LDAP.
What I did on the keycloak side was to add an Identity Provider using SAML, having taken some metadata from the SAML server. At the same time I connected this SAML server with my Active Directory.
Now on the keycloak login page I get a button reading ‘saml’ next to the username/password fields. I click it and i get redirected to my SAMLserver and if I login with my AD credentials , I get a ‘success screen’.
Nonetheless, each time I try to relogin I get an ‘update profile’ page, although I use the same username/password. I’ve observed that the ID changes and this ID seems to be related to the identity_provider_identity field (according to the Keycloak logs). This ID is an alpanumeric string (first column under the ‘users’ tab).
Any ideas what I’m doing wrong? Just to note, that under the SAML Identity Provider I’ve created mappers for the AD attributes, but I haven’t created any mapper under the client option.
Any ideas would be more than welcome.
Regards
Pavlos
6 years
Http2 setup
by Hammad Haqqani
Hi Folks
I was wondering if any one can share steps on how to enable http2
Hammad Haqqani
Sr Devops Engineer
M 832-795-2013
Email: hammad.haqqani(a)xome.com<mailto:hammad.haqqani@xome.com>
[signature_620025509]
This e-mail communication and any attachments may contain confidential, copyrighted, and legally privileged information for use solely by the designated recipients to which this e-mail is addressed. If you are not the intended recipient, you are hereby notified that you have received this communication in error, and that any review, disclosure, dissemination, distribution, or copying of this message or its contents is prohibited and may be subject to governing laws protecting its disclosure. If you have received this communication in error, please destroy all copies of this communication and any attachments.
6 years
Need help to properly use the prompt=none option to check if a user has an active session or not
by Gilbert FERNANDES
Hello to All
I have a little problem crafting a JMeter to make a call to the authorization endpoint in order to use the prompt=none option.
I have set up a Keycloak.
With one realm and one client.
Client is set as public, direct grants enabled, implicit flow on, standard flow enabled
In Keycloak I go into the client -> sessions and Logout everyone
0 sessions, 0 offlines
First JMeter scripts does a complete connection :
1. Call to /auth
2. Sends me a web page with form
3. I extract the "action" from the HTML form 4. I go a POST on the action URL + insert login and password 5. Keycloak does the 302 Redirect with code in URL 6. I call the token endpoint with the code and get the JWT Json Back
If I check in Keycloak, the session appears.
it is set to last 30 days.
Now comes my problem : I want to check if the user is connected, or not, using the prompt=none option.
So I create a second JMX script that does a GET on /auth/realms/${realm}/protocol/openid-connect/auth
(realm is replaced by the realm I use which is test ; my client is also called test)
I inject the following fields :
response_type = code
client_id = test
redirect_url = www.google.fr (I only care about what KC adds to the URL) scope = openid state = ebd16dfa-dc7e-4524-a87c-fcb138d2af8b
prompt = none
id_token_hint = id token contents found in the JWT
The ebd16dfa-dc7e-4524-a87c-fcb138d2af8b is the value I found in the JWT token in the field session_state I pasted into the id_token_hint the contents of the id_token from the JWT in its URLEncoded form
If the user is not connected and if the user is connected I always get the same answer :
Response code: 302
Response message: Found
Location: http://www.google.fr?error=login_required&state=ebd16dfa-dc7e-4524-a87c-f...
I get the login_required all the time.
I have tried after doing a Logout all
And after connecting myself and checking I have an active session for the client in the realm in the web console
Tried to search online
Tried various response_type codes I could see (with Keycloak saying they are invalid) I tried token_id%20 for example, no change
I don’t know what I'm doing wrong.
I only work on the back part of it and I have to check what happens when the front people use the prompt=none And I'm then doing JMeter scripts to emulate what they do But this is the first time I'm trying to use prompt=none And I'm failing miserably at it ☹
--
Gilbert
----------------------------- Disclaimer ------------------------------ --- Ce message ainsi que les éventuelles pièces jointes constituent une correspondance privée et confidentielle à l'attention exclusive du destinataire désigné ci-dessus. Si vous n'êtes pas le destinataire du présent message ou une personne susceptible de pouvoir le lui délivrer, il vous est signifié que toute divulgation, distribution ou copie, totale ou partielle, sur un quelconque support de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expéditeur par téléphone ou de lui retourner le présent message, puis d'effacer immédiatement ce message de votre systeme. Tout message électronique est susceptible d'altération. Le "groupement des Mousquetaires" décline toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié.--- --- This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying, either whole or partial, in any medium of this communication is strictly prohibited. If you have received this communication by mistake, please notify the sender by phone or by replying this message, and then delete this message from your system. E-mails are susceptible of alteration. The "Mousquetaires' group" shall not therefore be liable for the message if altered, changed or falsified.--- -----------------------------------------------------------------------
6 years
Where to store the refresh token? Can we avoid refresh token and rely on SSO cookie for access token renewal?
by Paul Luk
from various document, it seems storing refresh token is not recommended
for browser based web application that cannot safely keep the refresh token.
So, i am wonder whether i can configure keycloak to achieve the following
(authorization code grant):
1. response with the access token only (token endpoint)
2. when the access token expired, rely on the SSO cookie, to invoke
method/endpoint in keycloak to obtain a new access token via ajax.
can you please share your way to cater for refresh token? And comment on my
idea?
thanks
6 years
Authoritazion Policies Keycloak
by Alfonso Vidal García
Hi everyone!
I have a doubt. I am trying to apply to my server an authorization policy that depending the role of the user, that user will be granted to access to determinate resources of the app. How could it be possible with Keycloak?
Thanks in advance!
P Please consider the environment before printing this e-mail.
6 years
Welcome Theme Customization
by Talat Zaitoun
Hi,
I am trying to customize the welcome screen theme but my changes are not taken into effect. I am following the instructions at https://www.keycloak.org/docs/latest/server_development/index.html#config... section 3.2. I have created my theme in this path keycloak/themes/custom-theme/welcome and I change the welcomeTheme tag in the standalone.xml to “custom-theme” but it still doesn’t work. With this file structure, I was able to change the themes of all other modules such as email, account, login and by selecting the theme in the admin portal. However, the current instructions for the welcome theme do not seem to work for me. I must be missing something obvious.
Thank you for your help.
6 years
Last connection between 2 navigator when souscribe
by Christophe Lehingue
Hello,
When I register via the keycloak new user creation interface, I generate an
email to verify the user email: OK.
When I’m on the browser in which I realized all phases of connection =>
everything is ok.
By cons, when I copy the email verification link in another browser (in
which no phase of co-connection was made) => I fall on the following screen
“return to the application” and when I come back to the application I am no
longer authenticated.
Can you tell me how?
Keycloak version : 6.0.1 or 7.0.1 and latest keycloak-js version.
Thanks.
=== EN FRANCAIS ====
Bonjour,
Quand je m’inscris via l’interface de création de nouvel utilisateur de
keycloak, je génére un mail pour verifier l’email utilisateur: OK.
Quand je suis sur le navigateur dans lequel j’ai réalisé toute les phases
de connexion => tout est ok.
Par contre, quand je copie le lien de vérification d’email dans un autre
navigateur (dans lequel aucune phase de coonnexion n’a été réalisé)
=> je tombe sur l’écran suivant "revenir à l’application " et quand je
reviens à l’application je ne suis plus authentifié.
Pouvez-vous me dire comment faire ?
Keycloak version : 6.0.1 or 7.0.1 and latest keycloak-js version.
Merci à vous.
6 years
