Microsoft identity provider
by Leigh Kennedy
I am trying to set up Microsoft as an identity provider as per the instructions here:
https://www.keycloak.org/docs/4.8/server_admin/#microsoft
However after being redirected to Microsoft and logging in, I get the following error:
"AADSTS50194: Application '35199672-0b05-45e0-8488-30e143f7902a' is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant."
However I don't see anywhere I can control the endpoints keycloak talks to at Microsoft. Has anyone done this? I get the feeling either Microsoft has changed some default, or the docs are missing something or both.
Thanks.
Leigh Kennedy
5 years, 11 months
Re: [keycloak-user] Issue with SAML AuthnRequest
by Luis Rodríguez Fernández
Hello Max,
mmm, I would need to get my hands dirty again with this. This reminds me
that I had an issue with the logout verification signature, see here [1].
Disable the signature for the auth request would be acceptable for your
system? Our security team it is OK with this, or maybe they never realized
;)
Cheers,
Luis
[1]
http://lists.jboss.org/pipermail/keycloak-user/2018-September/015420.html
El vie., 8 feb. 2019 a las 9:34, <max(a)mascanc.net> escribió:
> Hi,
>
> On Wed, Feb 06, 2019 at 02:13:46PM +0100, Luis Rodríguez Fernández wrote:
> > May I ask you what is the client implementation? For my dev environment,
> > using the tomcat saml adapter in the SP side and Keycloak
> > 4.8.2.Final-SNAPSHOT in the IdP one is working:
>
> It is strange: going in remote debug with eclipse (running in local in my
> MacOS),
> I have been able to obtain a succesful redirect, and I did not see any
> trivial
> points on how the assertion signature could be damaged.
>
> I'll investigate for encoding issues on the Linux machine.
>
> In the code, the only point in which the assertion is marshalled to DOM is
> through
> a call to parse() on the inputstream.
>
> The DOM builder factory is assigned to the threadlocal: why? Can it be
> a threading issue, knowing the no thread safety of the dom implementation?
>
>
>
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
5 years, 11 months
Password less keycloak with OIDC Federation
by luke@code-house.org
Hi all,
I’ve been going through new Keycloak use case and ran into situation where I am not certain which SPI or API to use. First of all, I would like users to not have any passwords and don't see Keycloak by most of time. I already confirmed that such state can be achieved with extra parameters for authorisation and identity brokering links which is great.
Second part of scenario goes as follow:
1. I have external IdP which I trust entirely, let say google.
2. I don’t want to store user accounts - google does it well.
3. Keycloak is token mapper with possibility to store extra attributes.
4. Any personal information should be pseudo-anonymised (GDPR)
5. It would be great if I could log in user automatically with provider token sent to my service.
I wen’t over developer docs and administration too. There is a paragraph about user federation and storage and few sentences about importing users. Based on these I can not really determine which one should I follow. I do not want to import users as there might be quite a lot of them. Copying entire profile information will occupy a lot of space and require syncing which I do not really want to do.
Assuming that I will manage to get user federation (with no import) based on social broker login, will it be abuse of keycloak abilities? Will keycloak behave properly, if I will mock him down in a way that when identity broker asks about federated account - it will always get copy of its own data back?
I found some points to use custom Authenticator, however I am not sure if it’s gonna fly as I haven’t found any confirmation that such way will actually work.
Kind regards,
Łukasz
—
Code-House
http://code-house.org
5 years, 11 months
Require admins to specific email addresses for new users
by Ian Duffy
Hi All,
I'm wanting to use keycloak in a multi-tenant environment where each tenant
is a new realm. The tenant administrators should have access to manage the
realm in order to add users, groups, configure identity providers and so on.
For my multi-tenant setup, I'm copying something similar to slack.com and
their multiple workspaces.
- There should be a tenant onboarding system that will allow users to sign
up to the system. Before creating a new tenant they must be authenticated
against a client-id for the tenant manager. This authentication is just
email verification using the magic link extension
https://github.com/stianst/keycloak-experimental . Tenant creation is done
by using the credentials of the master realm, the tenant manager will take
in a tenant name and password, it will then go off and create a realm
matching this name, a new user in that realm matching the verified email
address used to create the realm and the supplied password, and a client
for the tenanted application which will be served via a vanity URL e.g.
tenant.example.org.
- Allow discovery of which tenants my email address exists within. I've
configured keycloak using
https://github.com/thomasdarimont/wjax2018-spring-keycloak/tree/master/id...
to emit events to JMS. My tenant manager picks up these events and
maintains a database of realm/tenant <-> email mappings. As such, the
tenant manager is able to provide a verified email address with a list of
tenants it's associated.
- Allow passwordless login to an associated tenant or a created tenant.
Before a user can create a tenant or list a tenant they are associated with
they must verify their email address. As the user is verified, it makes
little sense to have them login to newly created tenants or to associated
tenants discovered via the tenant manager. The tenant manager uses
impersonation to generate a cookie and places it into the user's browser to
allow for a seamless transition from tenant manager to the tenant. Users
accessing the tenant directly via the vanity URL will always be prompted
for their tenant-specific username/password.
The system I've described above assumes that each user uses their email
address as their username or that they have a valid email address
configured for their account. As mentioned above, I would like to hand off
user creation to the tenant administrators. Is there any way to enforce
that users created by the tenant administrators in the keycloak console
must have email addresses and the email addresses must be verified on first
login?
My only thoughts for achieving this so far is to listen to user created
events and for each one, always turn on "Update profile" and "Verify email"
as this will force the user to do those things on first login. However, it
would be neat to be able to modify keycloak to have these as defaults for
every user created within the realm.
Thanks,
Ian.
5 years, 11 months
Native iOS Facebook auth
by Andrew J. Alexander
I am seeing this thread:
http://lists.jboss.org/pipermail/keycloak-user/2017-February/009592.html
And I am wondering a similar question - is there a way to use native
Facebook access token to authenticate with Keycloak?
Facebook is saying that they want my client to update their app to use the
Facebook SDK for login as opposed to non-standard SDK (i.e.
AeroGear/Keycloak)
I am trying to use the token provided by Facebook on successful login, with
absolutely no luck.
What is the recommended way (or is there a guide) on how to do this?
5 years, 11 months
Realm lookup from Realm ID (not realm name)
by Ian Duffy
Hi All,
I'm using an Event SPI to publish create user keycloak events into ActiveMQ.
These events consumed and stored into another service that allows for realm
to username/email mappings.
The Event payload contains the Realm ID (a UUID) rather than the Realm
Name. I'm not seeing any way to query the realm through the API via Realm
ID. Is there an approach for converting Realm ID to Realm Name?
Thanks,
Ian.
5 years, 11 months
RP-initiated backchannel logout
by Мартынов Илья
Hello,
My RP should support dropping user's session by admin. I need to drop KC
session together with RP's session. But I can't use frontchannel here as
admin is dropping session for another user. So RP-initiated backchannel
logout is required. I see no docs about this functionality in KC. We use
OpenID Connect between RP and KC, so I've searched protocol specs.
From section "3. RP-Initiated Logout Functionality" of
https://openid.net/specs/openid-connect-backchannel-1_0.html and from
section "5. RP-Initiated Logout" of
https://openid.net/specs/openid-connect-session-1_0.html one can conclude
that sending backchannel request to end_session_endpoint with ID token
should drop the session on KC side.
Could you please comment, is my understanding correct?
5 years, 11 months
Identity first login flow
by Arlen Thurber
Hello Keycloak community,
I am looking for more information on an custom authentication method named
Identity first login flow. I found this concept in a keycloak Jira ticket
https://issues.jboss.org/browse/KEYCLOAK-1514
<https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_bro...>.
The issue was opened 03/Jul/15. There was a discussion back in February of
2018 that mentioned that this functionality would be offered "out of the
box",
http://lists.jboss.org/pipermail/keycloak-dev/2018-February/010416.html
<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.jboss.org_piper...>
, but i cant find any more mention of it, and the issue was just recently
put into triage on 22/Jan/19.
In the description of Identity first login flow :
"This makes it possible to not require a password for a user when other
authentication mechanisms are used (for example fingerprint, two-way ssl,
etc.). Also, it allows automatically redirecting to an external IdP when
the user is linked to an external IdP (either the user used the IdP to
login before or a email domain has been configured to the IdP)."
Does anyone have any more information about this concept, an example of it
working, or advice on how this login flow could be achieved?
Thank you,
Arlen
5 years, 11 months
issue with jboss/keycloak:4.8.3.Final image
by Meissa M'baye Sakho
I'm trying to connect to the cli inside a docker container built on the
keycloak:4.8.3.Final docker image.
When I'm inside the container, once I execute the following command i the
keycloak bin directory.
./jboss-cli.sh --connect
I'm getting the following eroors when I try to type anything.
[standalone@localhost:9990 /] Exception in thread "CLI Terminal Connection
(uninterruptable)" java.lang.ArithmeticException: / by zero
at org.aesh.readline.Buffer.printInsertedData(Buffer.java:582)
at org.aesh.readline.Buffer.insert(Buffer.java:231)
at
org.aesh.readline.AeshConsoleBuffer.writeChar(AeshConsoleBuffer.java:130)
at
org.aesh.readline.Readline$AeshInputProcessor.parse(Readline.java:262)
at
org.aesh.readline.Readline$AeshInputProcessor.access$100(Readline.java:174)
at org.aesh.readline.Readline.readInput(Readline.java:95)
at org.aesh.readline.Readline.access$1000(Readline.java:57)
at
org.aesh.readline.Readline$AeshInputProcessor.lambda$start$1(Readline.java:333)
at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:118)
at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:31)
at org.aesh.io.Decoder.write(Decoder.java:133)
at
org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:216)
at
org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:203)
at
org.jboss.as.cli.impl.ReadlineConsole$CLITerminalConnection.lambda$null$1(ReadlineConsole.java:176)
Any advice?
MEISSA SAKHO
5 years, 11 months
Gatekeeper - Documentation
by Andreas Wieland
Hi Keycloak Team,
we just found out the hard way that not all possible parameters are described in your online documentation.
We tried to use Gatekeeper as an Authorization Proxy but had problems with redirections.
After a lot of testing and fiddling we found the following parameter for gatekeeper which helped:
--base-uri value
which helped our cause. If you start gatekeeper with the help flag it will be part of the list.
But we used Gatekeeper with the docker image.
Therefore, I would suggest to include a complete list of possible parameters at the end of the online documentation.
Kind regards,
Andreas Wieland
Software Entwickler
[cid:e491732f-2aef-4a9a-8d72-5145c61d358e]
Intelligent Data Analytics GmbH & Co. KG
c/o TechQuartier
Platz der Einheit 2
60327 Frankfurt
Mobil: 015172834024
Telefon: 06421/4805274
Telefax: 06421/4805275
E-Mail: andreas.wieland(a)ida-analytics.de
Internet: www.ida-analytics.de
Unternehmenssitz: Frankfurt am Main | Handelsregister beim Amtsgericht: Frankfurt am Main, Registernummer: HRA 49357 | USt. ID-Nr.: DE310205810 | Finanzamt: Frankfurt am Main
Persönlich haftende Gesellschafterin: IDA Intelligent Data Analytics GmbH | Sitz: Frankfurt am Main | Handelsregister beim Amtsgericht: Frankfurt am Main | Handelsregister-Nummer: HRB 106805 | Geschäftsführer: Mohamed Ayadi, Dipl.-Inf. Nils Björn Krugmann, Dipl.-Inf. Matthias Leinweber, Dipl.-Inf. Marc Seidemann
5 years, 11 months
