Re: [keycloak-user] Docker and Outgoing HTTPS Request Truststore
by abegou.ext@orange.com
Hello,
I'm having some issue with the docker image and the "Outgoing HTTPS Request Truststore".
My goal is to make Keycloak working on kubernetes and that keycloak use an internal certificate to call internal IDP(OIDC) providers.
I tried to use the following documentation without success.
https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
i tried to use a config map to override the standalone.xml file without success.
How could I achieve this configuration ? How can I add a truststore using the docker image?
I used the latest image of keycloak jboss/keycloak@sha256:bab7816c55a912dcaaa4250b5b661823f5c43259433b350ad6167eee68cb1d9a
Thanks in advance for your help
Best regards / Cordialement
Aurelien Begou
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
5 years, 7 months
Refresh Token Question
by Konstantinos Schoinas
Hi there,
i have a setup where i use a node js application and Keycloak-connect
NPM module in order to align it with keycloak single-sign on flow.
Everything is working fine except of one thing.
When my refresh token is expired and i am trying to access a resource in
application that is protected by keycloak.protect() i am getting a
redirect to keycloak page (a flow that i find it correct ) and my user
is automatically getting re-logged in without posting any credentials.
i don;t know if that behavior is right.
My Keycloak Realm-Settings on Token tab are:
Revoke Refresh Token --> Off
SSO Session idle --> 2 minutes
SSO Session Max --> 4 minutes
Access Token Lifespan --> 1 minute
I also noticed this type of behavior on the nodejs-example that keycloak
connect provides so i believe that there isn't something wrong with my
application.
Also i put some logs inside keycloak-middleware to make sure that the
refresh Token is expired by going to the relative function and made sure
that the refresh is expired.
In addition this is happening of course when the 2 minutes are past and
i am trying to do a request to the Refresh token is definetly getting
expired there but still Keycloak seems to getting me logged in again and
NOT redirecting me to the Login page.
Thanks in Advance for the help,
Konstantinos
5 years, 7 months
Transfer role claim from OIDC identity broker to keycloak JWT
by Per Erik Gransøe
Hi
I've setup my KeyCloak with an Azure AD as OIDC identity provider. The Azure AD IdP replies with user application roles in its token reply to KeyCloak, and I would like to add these roles to the resulting JWT token to the relaying parties. Can this be archived with one of the built-in identity provider mappers (if so, which one and how do I map/transfer the "roles" claim?), or will I need to implement a custom mapper?
Med venlig hilsen / Kind regards
[Systematic Logo]<http://www.systematic.com/>
Per Erik Gransøe
Senior Systems Engineer
Søren Frichs Vej 39, 8000 Aarhus C
Denmark
Mobile: +45 3038 6841
Per.Erik.Gransoe(a)Systematic.com<mailto:Per.Erik.Gransoe@Systematic.com>
www.systematic.com<http://www.systematic.com>
5 years, 7 months
Wildfly 16.0 and keycloak 2.5.5-final
by Srinivas Nangunoori
Hi experts,
We are planning to upgrade wildfly from 10 to 16. Currently we are using keycloak 2.5.5-final. My question here is,
* Can I still use keycloak 2.5.5 with wildfly 16.0
* If no for first question, what version is hould use?
Thanks,
Srini
5 years, 7 months
Meraki SP
by Aaron Echols
Hello All,
I'm working on adding Meraki as an SP to Keycloak 5.0.0. It requires that
Keycloak be setup for idP initiated SSO, which I've configured. I have
everything working great, but I'm running into an issue where Keycloak will
not passthrough a SAML attribute using mappers.
Per the docs here:
https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboa...
I need to pass a role attribute through that matches what I've setup as the
SAML Administrator Roles in Meraki. I've done that and have a role setup as
IT, Management, etc.
In Active Directory the 'department' attribute is set to the role that is
needed. I've created the federated mapper 'dept' that is mapped to
'department' in AD. Users in Keycloak have that attribute populated
successfully with the correct data.
In the client for Meraki, I've created a mapper name '
https://dashboard.meraki.com/saml/attributes/role' and set the it as a
'user property' with a property of 'dept' and a general friendly name and
then set the 'SAML Attribute Name' to role.
Looking at the SAML login, this never is passed through at all. The only
way I can get it to pass a role value of 'IT' is by creating a 'Hardcoded
Attribute' with a 'Attribute Value' of 'IT' with a mapper name of '
https://dashboard.meraki.com/saml/attributes/role', it will then login
successfully to Meraki. There are other groups that will be logging into
Meraki, otherwise I'd just leave it hardcoded. I get below in the SAML
transaction when hardcoding the attribute:
<saml:Attribute
FriendlyName="Department"
Name="role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">IT
</saml:AttributeValue>
I've never had this issue of passing other attributes through before, can
anyone let me know if I'm going about this wrong and if so, what am I
missing? Thanks :)
--
Aaron Echols
5 years, 7 months
LDAP configuration ID info with User information
by Shetty, Shweta
Is there an easy way to get the information of LDAP id on the user which he/she got authenticated. If we have multiple LDAP scenarios I would like to know the information on the User as in which LDAP they got authenticated.
Shweta
5 years, 7 months
LDAP Mapped groups from AD
by Aaron Echols
Hello All,
I've got a group I'd like to sync from AD that is mapped. The group has
about 3500 users in it. The group won't sync properly and while it is
synced, it is empty in Keycloak. I'm not seeing anything in the Keycloak
logs when attempting to sync. Any ideas on what I'm missing? Thanks
in advance. :)
--
Aaron Echols
5 years, 7 months
Map single role
by Manuel Waltschek
Hello KC community,
I am trying to map a specific user role to an attribute mapper in a client scope. Is there a way to filter the role list to only show specific roles to the client?
Regards,
[Logo]
Manuel Waltschek BSc.
+43 660 86655 47<tel:+436608665547>
manuel.waltschek(a)prisma-solutions.at<mailto:manuel.waltschek@prisma-solutions.at>
https://www.prisma-solutions.com
PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
5 years, 7 months
SAML attribute to Keycloak group mapping
by Saloni Udani
Hi
Is there a way out of the box to map SAML attribute to keycloak group in
IDP integration with the keycloak?
If not then what is the thought process behind that?
Thanks
5 years, 7 months
