JBoss EAP/WildFly Adapter - JAAS Login Module for OTP
by R M
Hi
According to the Security APP Documentation , I can provide an adapter
config file in WAR and change the auth-method to KEYCLOAK within web.xml.
Alternatively, I don’t have to modify WAR at all and I can secure it via
the Keycloak adapter subsystem configuration in the configuration file,
such as standalone.xml
But my app have a FORM Login Authentication mechanism: in web.xml I have so
<login-config>
<auth-method>FORM</auth-method>
<realm-name></realm-name>
<form-login-config>
<form-login-page>/Login.jsp</form-login-page>
<form-error-page>/LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
and accoding to this the Login.jsp is submitting value to the
"j_security_check"
I want continue to use this but I want KEYCLOAK take control to check
credentials (and manage the OTP)
It is not clear (not able to found) if there is some "standard" adapater or
login module available and the "name" to give to the OTP field in the login
form
e.g. using PicketBox
https://developer.jboss.org/wiki/OTPIntegrationWithJBossApplicationServer
but now PicketLink and Keycloak projects are merged and I want to use a
similar way using OTP and the Keycloak server
So I'm looking for the Keycloak replacement of JBossTimeBasedOTPLoginModule
(and related setup)
<login-module
code="org.jboss.security.auth.spi.otp.JBossTimeBasedOTPLoginModule" />
Do you have any idea?
Thanks
5 years, 4 months
Identity provider mapper - Attribute to role
by Matteo Restelli
Hi all,
We're trying to setup an Attribute to role mapper inside our SAML 2.0
identity provider. The problem is that our attribute contains whitespaces.
How can we map an attribute with whitespaces to a role? Currently
surrounding it with double quotes or single quotes doesn't work.
Any thoughts on that?
Thank you,
Matteo
--
Like <https://www.facebook.com/cuebiq/> I Follow
<https://twitter.com/Cuebiq>I Connect
<https://www.linkedin.com/company/cuebiq>
This email is reserved
exclusively for sending and receiving messages inherent working activities,
and is not intended nor authorized for personal use. Therefore, any
outgoing messages or incoming response messages will be treated as company
messages and will be subject to the corporate IT policy and may possibly to
be read by persons other than by the subscriber of the box. Confidential
information may be contained in this message. If you are not the address
indicated in this message, please do not copy or deliver this message to
anyone. In such case, you should notify the sender immediately and delete
the original message.
5 years, 4 months
Unable to get SAML ForceAuthn to work
by Neil Russell
Hey,
I'm trying to get ForceAuthn to work with a third party who is using Shibboleth but have been unable to get it to force re-authentication if I have an existing session. I've inspected the SAML request and ForceAuthn is being passed in the request, one issue is that Shibboleth passes ForceAuthn="1" instead of ForceAuthn="true" and the parser doesn't appear to handle that. I made a fix to the StaxParserUtil class to try and get it working but even though I can now see that parser is returning true when the ForceAuthn attribute is read I'm still not getting the expected behaviour and I'm not sure where to look next.
Any suggestions would be appreciated, am I looking in completely the wrong place?
Thanks,
Neil Russell
5 years, 4 months
connecting between rh-sso (tier 1) to rh-sso (tier 2) with identity provider
by Oren Oichman
Hello all,
can anyone help with configuring multiple domains centralization using
RH-SSO ?
I had set up 2 Red Hat IDM's with 2 different domains and deployed rh-sso
for each domain and used federation configuration to connect them.
next I setup a third rh-sso and connected then through the identity
provider.
I am getting an error of a "Invalid parameter: redirect_uri" which I
believe has something to do with the client configuration on the 2 tier
RH-SSO
the flow I am trying to achieve is :
REDHAT-IDM(x2) --> RH-SSO(x2) --> RH-SSO --> APP
so when clients are trying to connect to the app they will be able to
choose which domain they want to use for authentication
thanks in advance
*with Best Regards*
*Oren Oichman*
Red Hat - Cloud Consultant
email: oo <ooichman(a)redhat.com>ichman@red <ooichman(a)redhat.com>hat.com
<ooichman(a)redhat.com>
cell : +972-54-4959822
5 years, 4 months
SAML Assertion Expiration v4.8.0
by gambol
Hiya
Was wondering if anyone else has come across this error before. After
upgrading to v4.8.0 users are complaining about intermittent login failures
via the federated IDP
09:14:46,188 INFO [org.keycloak.saml.validators.ConditionsValidator]
(default task-434) Assertion _cc9a97f8-2a30-49e8-bca5-8eefcd49d592 expired.
09:14:46,188 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
task-434) Assertion expired.
09:14:46,188 WARN [org.keycloak.events] (default task-434)
type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=xxxx, clientId=null,
userId=null, ipAddress=xxxxxxxxx, error=invalid_saml_response
The federated IDP is backed by ADFS
Googling around the issue seems to suggest a diff on clocks; but the time
on all the worker nodes (running in kubernetes) is all fine; and the
upstream broker (ADFS) said their time is fine.
Anyone seen this before? .. even better, anyone know of a solution? :-)
Thanks in advance
Rohith
5 years, 4 months
How to add gidNumber and uidNumber when federated with openLDAP
by Shiva Prasad Thagadur Prakash
Hi Guys,
I am trying to find a way to populate the gidNumber and uidNumber when a
user is created in LDAP via Keycloak. I don’t want to use
hardcoded-attribute-mapper as it would put the same value to all the users.
Is there is a way to populate these values when a user is created at the
Keycloak side?
For “posixAccount” in LDAP these are MUST be present attributes and LDAP
throws error if these values are not present when a user is created.
Eagerly waiting for your reply.
Thanks,
5 years, 4 months
Theme caching
by Barish Yumerov
Hello,
I am running keycloack in a docker container using this iamge:
jboss/keycloak
I created a few themes, and disabled caching by editing
./standalone/configuration/standalone.xml as
<theme>
<staticMaxAge>-1</staticMaxAge>
<cacheThemes>false</cacheThemes>
<cacheTemplates>false</cacheTemplates>
...
</theme>
alghough this, I can see changes only if I restart the docker container.
I even clear all type of caches for the ralm in the admin pannel but
still I cannot see any changes :(
How I can clear cache without restarting docker container or is there
any setting that disables caching in dev mode?
Thank you in advance!
Best Regards,
B Yumerov
5 years, 4 months
