Re: [keycloak-user] SAML securing application via browser / REST API via ECP on wildfly
by Luis Rodríguez Fernández
Hello Manuel,
Please, do not say sorry, you do not bother at all.
Me for the scenarios like that one I use the keycloak java servlet filter
adapter [1]. This allows me to use SAML2 for the user interface (web
profile) and basic authentication for APIs:
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/saml</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/secure/ui/*</url-pattern>
</filter-mapping>
<servlet-mapping>
<servlet-name>ApiController</servlet-name>
<url-pattern>/secure/api/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>API</web-resource-name>
<url-pattern>/secure/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>
Wildcard allows any authenticated user to access
</description>
<role-name>*</role-name>
</security-role>
Hope it helps,
Luis
[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#java-servle...
El jue., 11 abr. 2019 a las 14:31, Manuel Waltschek (<
manuel.waltschek(a)prisma-solutions.at>) escribió:
> Hello Luis,
>
> sorry to bother you again, but for me it is unclear if this can coexist to
> SAML authentication for the same web-app, since it needs a special
> keycloak.json as seen in
> https://github.com/keycloak/keycloak/tree/master/examples/basic-auth
>
>
>
> Regards,
>
>
>
> Manuel
>
>
>
> *Von:* Luis Rodríguez Fernández <uo67113(a)gmail.com>
> *Gesendet:* Donnerstag, 11. April 2019 14:07
> *An:* Manuel Waltschek <manuel.waltschek(a)prisma-solutions.at>
> *Betreff:* Re: [keycloak-user] SAML securing application via browser /
> REST API via ECP on wildfly
>
>
>
> Hello Manuel,
>
>
>
> If your client can keep secrets I would go for good and old basic
> authentication or Oauth2 with the client credentials flow [1]:
> machine-to-machine authentication where a specific user’s permission to
> access data is not required.
>
>
>
> Hope it helps,
>
>
>
> Luis
>
>
>
> [1] https://tools.ietf.org/html/rfc6749#section-4.4
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> El jue., 11 abr. 2019 a las 11:14, Manuel Waltschek (<
> manuel.waltschek(a)prisma-solutions.at>) escribió:
>
> Hello KC Community!
>
> We are currently securing our war via browser SSO with SAML. We are
> deploying on wildfly 10 and are using keycloak as an IdP broker.
> We have the requirement to also secure a REST endpoint which is invoked by
> a thrid party. I read about ECP shortly in KC docs and some forum
> discussions, but I could not find out how to set this up. It is also
> unclear if keycloak even supports this feature. If not ECP, are there any
> other known ways to support this behaviour?
>
> Regards,
>
>
> [Logo]
>
> Manuel Waltschek BSc.
>
> +43 660 86655 47<tel:+436608665547 <+436608665547>>
> manuel.waltschek(a)prisma-solutions.at<mailto:
> manuel.waltschek(a)prisma-solutions.at>
> https://www.prisma-solutions.com
>
> PRISMA solutions EDV-Dienstleistungen GmbH
> Klostergasse 18, 2340 Mödling, Austria
> Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
6 years, 7 months
User creation
by Pavel Drankov
Hello,
I'm trying to implement a two-step registration process based keylock. On
the first step enters the same information as in the default registration
form, but with the addition of telephone number. On the second step, he
enters a code received via an SMS message.
The problem I faced is that if a user successfully filled the first step
registration form and failed to enter a valid code on the second step, he
is not able to use the same email address on the first step(because of "Email
already exists." error). Is there a way to clean up not fully registered
users and allow them to re-register if they have not finished all the step
from the registration flow.
Best wishes,
Pavel
6 years, 7 months
Import realm settings without removing users
by Pavel Drankov
Hi,
Is there any command-line way to import realms settings without erasing all
the users? If import realm settings with OVERWRITE_EXISTING, keycloak also
removes all the users.
Best wishes,
Pavel
6 years, 7 months
offline token issue - critical
by Sulakshana Gunna
Hi,
We were using keycloak 1.9.8 and now upgrading to keycloak 4.8.2.
I am facing a blocker issue with respect to refreshing offline tokens.
I have opened a ticket, https://issues.jboss.org/browse/KEYCLOAK-10029
I appreciate if anyone faced the similar issue.
Details repeated below:
We have been using keycloak for our authentication process.
We generate offline token using response_type as code and exchange code for token. Our client refreshes it when access token expires.
What is observed is, all the offline tokens generated in 1.9.8 keycloak are not as expected after upgrading to 4.8.2 version. They are assigned expires_in to session idle time and subsequent refresh fails with Session Not Active. The issue is impairing our release which is round the corner. Specific details below:
With 1.9.8 keycloak:
1) User logs in with the following url:
https://<keycloak url>/auth/realms/<realm>/protocol/openid-connect/auth?client_id=<client_id>&redirect_uri=<redirect_url>&response_type=code&scope=offline_access
2) When the code is returned, it is exchanged for token using:
curl -s --request POST --header "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" --data "client_id=<client_id>&client_secret=<client_secret>&redirect_uri=<redirection url>&grant_type=authorization_code&code=<code>" "https://<keycloak url>/auth/realms/<realm>/protocol/openid-connect/token"
Sample response:
{"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI2YjJkNThhNC05NjZkLTQ0NTAtOWZmOC0wMmZkNzI3MjUyNTUiLCJleHAiOjE1NTQ5NTg1ODksIm5iZiI6MCwiaWF0IjoxNTU0OTU3Njg5LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJDTVhfQXBwIiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiQ01YX0FwcCIsInNlc3Npb25fc3RhdGUiOiI4NDljNWVkOS02YzQ3LTRjM2MtOTNiMi01MDc2Y2FkODM0ZTYiLCJjbGllbnRfc2Vzc2lvbiI6ImJiZGZiYWU0LTA4YzEtNDY5Ni1iYmJhLTRkNWQxNDdhNGRiZiIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vbG9jYWxob3N0OjE2Mzg5Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiQWRtaW4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1aWQ9ODIzNjUxZGYtNTQzNi00MDcwLWE5MDEtYmE1OGM5OTc2ZWYyLG91PXVzZXJzLG89aGV3bGV0dC1wYWNrYXJkLG91PXBhcnRuZXJzLGRjPWhld2xldHQtcGFja2FyZCxkYz1ocCxkYz1jb20iLCJmYW1pbHlfbmFtZSI6IkFkbWluIiwiZW1haWwiOiJocGNvbm5lY3RlZHN5bmNhZG1pbkBocC5jb20ifQ.Tul3RCempI7aevTh7SqNODSWRS9c6KgT9FbGsulCE90xUdbDE7X_50OV1n9QBtQZH160b8AKbf1BkRGqZtbGWkXWCEvUCY-iyrovtKt-3SsGedpfD-0tEfvd53FgTrxwH8i9DxvRzOIknIDZGcCz39gYokVC-bDnyZynEpMFD1ZRPnS9fSY_S07NmeSakWPD4iF4W_09AGloZb9T5k2denRVrpIEVzoKF6lrP2U98WqvWxnJC8r-l6zZPNsThDcYiZmdOSxrmvQFYmzpaOAShX4Ad6b9vAk7Ri_6lazb3ESBgv2GSnBSRmLSpDcQBWR-qvlqVRpWLDPDCtnICFCfcw","expires_in":900,"refresh_expires_in":0,"refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzYzlmZjgxNi00YWY3LTQyOGEtOWVhZS1lMWJiYTdiYmZmN2MiLCJleHAiOjAsIm5iZiI6MCwiaWF0IjoxNTU0OTU3Njg5LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJDTVhfQXBwIiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiT2ZmbGluZSIsImF6cCI6IkNNWF9BcHAiLCJzZXNzaW9uX3N0YXRlIjoiODQ5YzVlZDktNmM0Ny00YzNjLTkzYjItNTA3NmNhZDgzNGU2IiwiY2xpZW50X3Nlc3Npb24iOiJiYmRmYmFlNC0wOGMxLTQ2OTYtYmJiYS00ZDVkMTQ3YTRkYmYiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fX0.aXcghpPA7H7O_KA3uUjxWr5fGvCsPV9uHdVaH5yTJ88p8Y1zhO8l6kGmTO_lYZs9_acKE6CL99kJUtNq_x42YbQEYic8aKTm5Muv41pBznSvTpE0sEn7GmdqMTLA-bCedsCcBDpEOcOJGVT-GfO9iiFYzdKBszUfDCGFPfJrF1NVUy-An7VLz4aJUur2ERu2zMGWj6Edq6go9fAJ6MJRVfT8OWvxgtt-08RpIf8Tsfx0XLIFeCT0kqzGzffadgDrNG_fL8hnODrCRVZ2qV6WAbH7cgpF1zcAsY8NQW0yvuB0hQU3i4pM_ibt-EuLeFSX05SF43PxsVnmhf-ZPBjk4A","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0ZTBjYjc5My03MzI4LTRlNTMtYjUxYy04NTg1OTQzMDNlMWEiLCJleHAiOjE1NTQ5NTg1ODksIm5iZiI6MCwiaWF0IjoxNTU0OTU3Njg5LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJDTVhfQXBwIiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiSUQiLCJhenAiOiJDTVhfQXBwIiwic2Vzc2lvbl9zdGF0ZSI6Ijg0OWM1ZWQ5LTZjNDctNGMzYy05M2IyLTUwNzZjYWQ4MzRlNiIsIm5hbWUiOiJBZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6InVpZD04MjM2NTFkZi01NDM2LTQwNzAtYTkwMS1iYTU4Yzk5NzZlZjIsb3U9dXNlcnMsbz1oZXdsZXR0LXBhY2thcmQsb3U9cGFydG5lcnMsZGM9aGV3bGV0dC1wYWNrYXJkLGRjPWhwLGRjPWNvbSIsImZhbWlseV9uYW1lIjoiQWRtaW4iLCJlbWFpbCI6ImhwY29ubmVjdGVkc3luY2FkbWluQGhwLmNvbSJ9.rvlNPmsGd0d57yGtbnmCubF3ctXnyP__lTzTdH08GhJptht0iC7CKTwuXWUfmPHN98iu8cxLyWkqOQ50obcNGOpzZXPQDTx-FW2zcyAVd6sQJxZRtOfJjGAetGaXK1s4BaJr1kwl6jmbVeslggtAAxFGCeIlGUO3zu6Qc0MhfLjOGlmUbno2tI4lAFLWkcp1LQ4vrUx5qS9Jcvs3Y2q5j-l2_XaZTLmCRVpCaWRcay9idLgIJb-yDi1r5RMv36614yTQc8pbf1eawfYp4dN1cO6ldXKG9LfWNbVj8MyD_r9Z3tZlS2fgbAzuHVIcI7BL7HlWE2Rn8uUNGkLfUKZF4w","not-before-policy":1439992645,"session_state":"849c5ed9-6c47-4c3c-93b2-5076cad834e6"}
3) Keycloak is upgraded to 4.8.2.
4) What is seen in the admin console, is above generated offline tokens are refreshed during upgrade when looked at the last refresh times
5) The offline refresh token is now refreshed with below api after upgrade:
curl -s --request POST --header "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" --data "client_id=<client_id>&client_secret=<client_secret>&grant_type=refresh_token&refresh_token=<refresh_token>" "https://<keycloak url>/auth/realms/<realm>/protocol/openid-connect/token"
Sample response after upgrade:
{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJUVElxeHVSa3NjSG4zYlNYQ19CUldtTFdlUUdJc3dYMGVKM3BBTlhuODdRIn0.eyJqdGkiOiJkNmQ0ZjU3OS1kMTQwLTRkZjItOWRkMy04ZGE4NDUwMGRjMmYiLCJleHAiOjE1NTQ5NTkxNDYsIm5iZiI6MCwiaWF0IjoxNTU0OTU4MjQ2LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiQ01YX0FwcCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6Ijg0OWM1ZWQ5LTZjNDctNGMzYy05M2IyLTUwNzZjYWQ4MzRlNiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDoxNjM4OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6IiIsIm5hbWUiOiJBZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6InVpZD04MjM2NTFkZi01NDM2LTQwNzAtYTkwMS1iYTU4Yzk5NzZlZjIsb3U9dXNlcnMsbz1oZXdsZXR0LXBhY2thcmQsb3U9cGFydG5lcnMsZGM9aGV3bGV0dC1wYWNrYXJkLGRjPWhwLGRjPWNvbSIsImZhbWlseV9uYW1lIjoiQWRtaW4iLCJlbWFpbCI6ImhwY29ubmVjdGVkc3luY2FkbWluQGhwLmNvbSJ9.i3lEED2K_lVQk3FYDF4GaQlf0esT5iS-eP6vDKzucx9LEgHJy-ZHc4h6KhSlBoLzkFcX8zhecZq2FY69KQQZo_QdTQP3Ja8Pv1CAPRbUx8BZF1PhCmdfs6NFZmxmKSwMHwTSkFTIImbfGguMLHZexYsQ9bYNMX-ZnxlNKL1Uz25RrFAD2YYl06d_No8ojfti7KGamDjeuWK_nW-Vgy_i-6MikVbmeANj4VUEx91Ba1xlpZaGAEqC9qri90Vbr9jRo9x803G76uGsjI8D6ROSTUl2TkfoC1d9H-4KvwBrLaRBL2g-RqE9VnRL9xq5alQXiDFRzL0b7KnSqNRUT0siyw","expires_in":900,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5N2Y5OTEyNS1kOTdlLTRhY2EtYTVmMS1mMGVlNjAwYTVmOTYifQ.eyJqdGkiOiJiMGFiNjE5MS01ZWVmLTQ0OTAtYmYzMS04OTFiMDg2Mjk1NzQiLCJleHAiOjE1NTQ5NjAwNDYsIm5iZiI6MCwiaWF0IjoxNTU0OTU4MjQ2LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJzdWIiOiI3ODVhOWRmYy02MjgxLTQyZWUtOGE1My1mZjdjNTFkNDg4YTgiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiQ01YX0FwcCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6Ijg0OWM1ZWQ5LTZjNDctNGMzYy05M2IyLTUwNzZjYWQ4MzRlNiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiIn0.qbL9akZtOrPK-a54A1qTbbCymaxrn2lpX21f_M_PMbQ","token_type":"bearer","not-before-policy":1439992645,"session_state":"849c5ed9-6c47-4c3c-93b2-5076cad834e6","scope":""}
6) As can be seen above, the new refresh token is now expiring in 1800 sec which is the sso session idle time that I set to my session tokens. Whereas before upgrade these tokens has expires in as 0. And also scope is empty. This scope was not present before the upgrade.
7) At this time when I see the admin console I see that offline session token shows last refresh as the one that I did after upgrade.
8) Now when I refresh this newly generated token, I get the below error:
{"error":"invalid_grant","error_description":"Session not active"}
9) But I still see those offline session token in the table and console.
10) On the other hand, I do not see this issue with any new offline session tokens created after upgrading to 4.8.2.
So what is happening after the upgrade that these old offline tokens are not treated as offline though they are in the offline session table.
Do we have to do anything as a part of upgrade? All we do is pointing keycloak 4.8.2 to the 1.9.8 DB and it takes care of upgrading the database.
Thx
-Sulakshana
6 years, 7 months
Configuring MySQL JDBC Driver with Keycloak-5.0.0
by Mizuki Karasawa
Hi,
Has anyone successfully load MySQL JDBC driver with Keycloak-5.0.0?
Following https://www.keycloak.org/docs/5.0/server_installation/index.html#_database , it should be straightforward, but I'm getting error when Keycloak starts:
2019-04-10 14:08:12,055 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 28) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "datasources"),
("jdbc-driver" => "mysql")
]) - failure description: "WFLYJCA0041: Failed to load module for driver [org.mysql]"
This can be reproduced after driver is configured, before configuring datasource 'KeycloakDS' to user the JDBC driver, following are the steps that i followed:
1. yum install mysql-connector-java
2. mkdir -p /opt/keycloak/modules/system/layers/keycloak/org/mysql/main/
3. cd /opt/keycloak/modules/system/layers/keycloak/org/mysql/main/
4. ln -s /usr/share/java/mysql-connector-java.jar ./
5. cat << EOF > module.xml<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.3" name="org.mysql">
<resources>
<resource-root path="mysql-connector-jav.jar" />
</resource>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
EOF
6. Declare the driver in /opt/keycloak/standalone/configuration/standalone.xml , add the driver to the <drivers> section:
<drivers> ....
<driver name="mysql" module="org.mysql">
<driver-class>org.mysql.jdbc.Driver</driver-class>
</driver></drivers>
7. restart Keycloak
Note that changing to various JDBC drivers doesn't make a difference, just to test the driver itself is fine, I connect to localhost console via http://localhost:9990, and loaded the driver as the new deployment, and configured the datasource to use the driver seems to be working fine.
Does anyone have suggestions what is possibly going on?
Thanks a lot!
Mizuki
<?xml version="1.0" encoding="UTF-8"?><module xmlns="urn:jboss:module:1.3" name="org.mysql"> <resources> <resource-root path="mysql-connector-java-bin.jar" /> </resource> <dependencies> <module name="javax.api"/> <module name="javax.transaction.api"/> </dependencies></module>EOF
- Add JDBC driver type to '/opt/keycloak/standalone/configuration/standalone.xml' in <datasources> block as followng:
<drivers> <driver name="h2" module="com.h2database.h2"> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class> </driver> <driver name="mysql" module="org.mysql"> <driver-class>org.mysql.jdbc.Driver</driver-class> </driver> </drivers>
Before I change actual 'KeyclockDS' datasource to use MySQL, I restart the service to confirm the JDBC driver is successfully load, but I got following error:
2019-04-10 14:08:12,055 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 28) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "datasources"), ("jdbc-driver" => "mysql")]) - failure description: "WFLYJCA0041: Failed to load module for driver [org.mysql]"
6 years, 7 months
Keycloak and Clever
by Aaron Echols
Hi All,
I'm in k12edu and have been working on implementing Clever. I've
successfully setup and configured Clever as a SP in Keycloak using the
Active Directory Authentication login method. I wanted to share it here, in
case there are others that would like to use it.
Also, it might be useful to have a wiki in the Keycloak documentation for
users to contribute how-to articles on configuring services with Keycloak.
Please consider this. I'd gladly contribute my Clever and Google
configurations there.
I'm not sure how this is going to format, hopefully, it doesn't get too
botched. :)
Create new client
-
Go to the Clients page under the {your} realm.
-
Click: Create
-
Download federation metadata: https://clever.com/oauth/saml/metadata.xml
-
Click: Select file
-
Browse to the metadata.xml downloaded in the previous step
-
Click: Save
-
Set the following options:
Setting
Flag/Option/String
Name
{Give it a user facing name}
Enabled
ON
Include AuthnStatement
ON
Sign Documents
ON
Sign Assertions
ON
Signature Algorithm
RSA_SHA256
SAML Signature Key Name
KEY_ID
Canonicalization Method
EXCLUSIVE
Encrypt Assertions
ON
Client Signature Required
OFF
Force POST Binding
ON
Front Channel Logout
ON
Force Name ID Format
ON
Name ID Format
email
Valid Redirect URIs
https://clever.com/oauth/saml/assert
Base URL
/auth/realms/{realm}/protocol/saml/clients/clever&RelayState=true
IDP Initiated SSO URL Name
clever
Assertion Consumer Service POST Binding URL
https://clever.com/oauth/saml/assert
Logout Service POST Binding URL
https://clever.com/oauth/saml/assert
Create Mapper(s)
-
Go to: Clients > https://clever.com/oauth/saml/metadata.xml > Edit >
Mappers > Create
-
Set the following options:
Setting
Flag/Option/String
Name
clever.any.email
Mapper Type
User Property
Property
email
Friendly Name
Email
SAML Attribute Name
clever.any.email
SAML Attribute NameFormat
Setting
Flag/Option/String
Name
clever.any.sis_id
Mapper Type
User Property
Property
username
Friendly Name
Username
SAML Attribute Name
clever.any.sis_id
SAML Attribute NameFormat
Import Custom idP Metadata
-
Login to https://clever.com/in/<your-portal>
-
Go to: Portal > SSO Settings > Add Login Method > Active Directory
Authentication
-
Click: or upload metadata file instead (not recommended)
-
Download and modify the Auth Mellon idp-metadata.xml file from your
clever client in Keycloak and add the missing information below:
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID="https://{vip}/auth/realms/{realm}"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<KeyDescriptor use="signing">
<dsig:KeyInfo>
<dsig:KeyName>{kID}</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>{cert}</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
</IDPSSODescriptor>
</EntityDescriptor>
-
Click the cloud symbol with an up arrow through it to upload the
idp-metadata.xml you created.
-
Click: Save
-
You should see a message in green saying: Your settings have been saved
References
https://support.clever.com/hc/en-us/articles/218050687-Single-sign-on-SSO...
https://support.clever.com/hc/en-us/articles/215176617
--
*Aaron Echols*
6 years, 7 months
SAML securing application via browser / REST API via ECP on wildfly
by Manuel Waltschek
Hello KC Community!
We are currently securing our war via browser SSO with SAML. We are deploying on wildfly 10 and are using keycloak as an IdP broker.
We have the requirement to also secure a REST endpoint which is invoked by a thrid party. I read about ECP shortly in KC docs and some forum discussions, but I could not find out how to set this up. It is also unclear if keycloak even supports this feature. If not ECP, are there any other known ways to support this behaviour?
Regards,
[Logo]
Manuel Waltschek BSc.
+43 660 86655 47<tel:+436608665547>
manuel.waltschek(a)prisma-solutions.at<mailto:manuel.waltschek@prisma-solutions.at>
https://www.prisma-solutions.com
PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
6 years, 7 months
Multivalue attributes delimiter
by Ondrej Scerba
Hi,
Is there any option to configure delimiter for multivalue attributes in Keycloak? I would like to use ',' instead of "##".
Thanks,
Ondrej
6 years, 7 months
