keycloak federation
by jaswanth chilaka
Hi
I'm jaswanth. I was recently working on keycloak and I want to federate
keycloak with openam. here we want keycloak as IDP and openam as SP. so I
have few doubts regarding that, how could you configure opeam with kecloak.
does keycloak support openam circle of trust?
Thanks & Regards,
Jaswanth
6 years, 10 months
Action token implementation extensions??
by Craig Setera
In addition to my question yesterday about REST endpoint extensions, I now
have a new issue. Basically, my hope/plan was to create a REST endpoint
and use that to retrieve a new type of action token that I was
implementing. I was able to create a new REST endpoint and validate that
the incoming user has the authority we want to require to initiate the new
action.
Now, I'm trying to create the new action token to be returned. I've
implemented all of the necessary interfaces. However, it is failing to
deploy properly because all of the required classes are part of the
keycloak-services module which appears to not be accessible. Am I missing
something here? How can I create a new action token implementation and get
it properly deployed and working?
Thanks,
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
6 years, 10 months
Showing error messages originating from external identity providers
by Guy Marom
Hello all,
First of - thanks for developing this. The product is very useful for us!
Second, I wanted to ask about external identity providers. We have an
integration with *Azure Active Directory* and I configured an app in Azure
that does not allow all users to use it by default, instead I need to
assign a user to the app.
When I try to login to Keycloak with a user that's unauthorized, I get
redirected to Keycloak's login page with no error message shown.
Is there a way to fix this (other than editing the HTML template of the
login page)?
Thanks,
Guy Marom
6 years, 10 months
Send email on creating new user
by Pavel Maslov
Hi all,
When I manually create a new user from the Keycloak Admin Console (UI), can
Keycloak automatically send an email to that person?
>From what I can see now the user does not know that I have created an
account, unless I inform them (e.g. by email).
Regards,
Pavel Maslov, MS
6 years, 10 months
Add optional LDAP userPassword hashing
by BOUVIER Jean-Damien
Hi all !
My problem is described in the KEYCLOAK-4989 issue, titled < add optional LDAP userPassword hashing >
I'm in the worst case scenario as I use OpenLDAP that doesn't hash password by default and the way it has been installed, I don't have the < ppolicy overlay > available.
So Keycloak sends password in clear text and I thought that I could add specific OpenLDAP configuration to hash the password before.
The LDAP administration has already some specific configuration for AD and I thought that I could start from here. (org.keycloak.storage.ldap.mappers.msad. MSADUserAccountControlStorageMapperFactory for example)
So, I've written my own StorageMapperFactory :
public class OpenLDAPUserAccountControlStorageMapperFactory implements LDAPStorageMapperFactory<LDAPStorageMapper>
That needs these dependencies :
<dependencies>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-core</artifactId>
<version>${version.keycloak}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-services</artifactId>
<version>${version.keycloak}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-server-spi</artifactId>
<version>${version.keycloak}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-ldap-federation</artifactId>
<version>${version.keycloak}</version>
<scope>provided</scope>
</dependency>
</dependencies>
But whenever I try to deploy the jar, I get :
cat hash-password-openldap-provider.jar.failed
{"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"hash-password-openldap-provider.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"hash-password-openldap-provider.jar\"
Caused by: java.lang.NoClassDefFoundError: Failed to link fr/calvados/keycloak/storage/ldap/mappers/openldap/OpenLDAPUserAccountControlStorageMapperFactory (Module \"deployment.hash-password-openldap-provider.jar\" from Service Module Loader): org/keycloak/storage/ldap/mappers/LDAPStorageMapperFactory"}}
I probably lack one dependence but I can't find which one as the error message doesn't give a clue and my maven project compiles.
Could you help me to find out what is wrong ?
Regards,
Jean-Damien Bouvier
<a href="http://www.calvados.fr" target="_blank"><img src="https://www.calvados.fr/files/live/sites/calvados/files/signature-departe..." alt="Calvados Département - www.calvados.fr" border=0/></a>
**************************************************************************************************
« Cette transmission contient des informations confidentielles et/ou personnelles
appartenant au conseil départemental du Calvados pour être utilisées exclusivement par le
destinataire. Toute utilisation, reproduction, publication, diffusion en l'état ou
partiellement par une autre personne que le destinataire est interdite, sauf autorisation
expresse du conseil départemental du Calvados. En cas d'erreur de transmission, merci de
détruire le(s) document(s) reçu(s). Le conseil départemental du Calvados n'est pas
responsable des virus, altérations, falsifications.
Droits réservés - conseil départemental du Calvados».
**************************************************************************************************
6 years, 10 months
Getting 'Failed to find provider' when attempting to set default SPI provider
by Jared Blashka
I'm trying to use a custom Email sender provider with keycloak 3.4.3.Final
but something isn't working correctly because keycloak fails to start up
with:
java.lang.RuntimeException: Failed to find provider serviceEmailSender for
emailSender
I'm deploying the provider via a war in the /deployments directory. I have
the factory class listed in the
META-INF/services/org.keycloak.email.EmailSenderProviderFactory file
I've added this to the keycloak-server subsystem
<spi name="emailSender">
<default-provider>serviceEmailSender</default-provider>
<provider name="serviceEmailSender" enabled="true"/>
</spi>
If I leave out the <default-provider> entry and restart the server I can
see that the init() method is called on my EmailSenderProviderFactory
implementation so as far as I can tell everything is configured correctly.
But keycloak doesn't like when I try to set this provider as the default.
Is there something I'm missing?
Jared
6 years, 10 months
First User login with LDAP integration - very slow
by Shetty, Shweta
Hi Folks,
We have integrated keycloak with LDAP Federation and we are having issues with first login of users after a group sync.
1) Do group sync with group-ldap mapper
2) Login user1 with 60 groups from LDAP – it takes anywhere from 9sec-10sec.
3) This first login time increases with increase in groups
Has anyone seen this issue before? We are very particular about the time taken during the user login. Did anyone mitigate this issue
with any configuration changes or such? Is this a known issue? Any advice is highly appreciated.
It looks like its building the cache with user and group – is there any way to do this caching for users before the users login to speed things up ?
Thanks
6 years, 10 months
Admin client API - usersResource.list(offset, limit) - slowness
by Shetty, Shweta
We are seeing extreme slowness in using this API, we are still not sure what could be the culprit. We enabled more logging on the postgres side of thing, thinking it could be related to keycloak – postgres slowness. Once we enabled more logging, we do see that keycloak is issuing a query like this one at a rate of about one per millisecond
```select clientscop0_.ROLE_ID as col_0_0_ from CLIENT_SCOPE_ROLE_MAPPING clientscop0_ where clientscop0_.SCOPE_ID=$1```
This fills up the logs so that it is hard to see anything else.
This could be the cause of the problem; which could be slowing postgres down. We wanted to know if its some configuration issue which we can optimize to overcome this issue or if it’s a known issue. Please advice.
Shweta
6 years, 10 months
Logout from IDP with Spring Keycloak adaptor
by Hylton Peimer
I have a Keycloak Security Adaptor setup with a logout URL "/sso/logout".
The user logins in using to my application using an IDP, and then logs out
by POSTing to the /sso/logout the - they are redirected to the login page.
However when attempted to login again, the user doesn't need to
reauthenticate. It seems Spring doesn't logout from the IDP.
Is there a simple way to get Spring to logout from the IDP? Should I change
the logout URL?
6 years, 10 months
Custom ClaimInformationPointProvider for Spring Boot not called.
by Alexey Titorenko
Hello guys!
Can someone help me please with the following problem.
I need to configure context based access control for my REST-service, when attributes of the protected resources are pushed to Keycloak server for policy evaluation. Protected service is built on Spring Boot.
I’ve configured the system and all works fine with OOTB Claim Information Point provider ‘claims’. But I need a custom one. And this custom CIP is not working. I see from the debug logging, that policy enforcer calls ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls ‘create()’, thus, never instantiates the CIP.
Below are application.properties for Spring boot and CIP config file. My custom CIP Provider has ‘document’ name. I call both /documents/- Get an
Thank you,
Alexey
application.properties
----------------------------------
svc.name=docs-uma
server.port = 8085
keycloak.realm=DemoApp
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.ssl-required=external
keycloak.resource=docs-svc-uma
keycloak.cors=true
keycloak.use-resource-role-mappings=true
keycloak.verify-token-audience=false
keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
keycloak.confidential-port=0
keycloak.bearer-only=true
keycloak.securityConstraints[0].securityCollections[0].name = secured operation
keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents
keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/
keycloak.securityConstraints[1].securityCollections[0].name = admin operation
keycloak.securityConstraints[1].authRoles[0] = admin
keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/
logging.level.org.keycloak=DEBUG
logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
# policy enforcer
keycloak.policy-enforcer-config.lazy-load-paths=true
keycloak.policy-enforcer-config.on-deny-redirect-to=/public
keycloak.policy-enforcer-config.paths[0].name=Public Resources
keycloak.policy-enforcer-config.paths[0].path=/*
keycloak.policy-enforcer-config.paths[1].name=Document creation
keycloak.policy-enforcer-config.paths[1].path=/documents/*
keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[2].name=Document List
keycloak.policy-enforcer-config.paths[2].path=/documents
keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[3].name=Admin Resources
keycloak.policy-enforcer-config.paths[3].path=/admin/*
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
------------------------------------------------------------------------
dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
6 years, 10 months
