Add LDAP as external IdP
by Ajinkya Thakare
Hi all,
Is there any way to add LDAP as an external IdP in keycloak? Any tools or libraries that can provide the IdP services over the top of LDAP?
Thanks in advance for the help.
Regards,
Ajinkya Thakare
5 years, 3 months
Specifying LDAP/AD domain in login/token endpoint
by Ajinkya Thakare
Hi all,
I have a multi-tenant SSO use-case where a set of application can be used by multiple organizations with their owns LDAP/AD configurations. I am trying to secure those applications using Keycloak and pretty much successful in doing so by adding individual organization’s LDAP configs in User Federation tab.
However, I observed that for authentication from LDAPs, keycloak goes through all the LDAP configs added one by one, either by the order of their addition in Keycloak or by the priorities set in configuration, to check for the user credential until desired username and password matches. This is causing two main issues –
1. If same username is part of two organizations, it causes failure even when correct credentials belonging in a later LDAP are passed to the login/token API. Keycloak finds the same username in the first LDAP and sees the password is different and hence returns failure.
2. Keycloak does not provide failover for LDAPs. Thus, if one of the LDAP servers is down, authentication from all the successive LDAPs will fail.
Can we instead have a solution where user can specify his/her organization’s domain along with the username, so that keycloak points directly to that particular LDAP config and not look into other LDAPs. This will solve both of the above problems.
For example, we have same username ‘ajinkya.thakare’ in two organization’s domains ‘company1’ and ‘company2’. On the login page, if user can provide ‘ajinkya.thakare@company2’, keycloak should point to the LDAP config for company2 only. Here issue 1 is solved since the credentials for ‘ajinkya.thakare’ in company1’s domain are not checked anytime and hence not causing any failure for correct credentials from company2. Issue 2 is also solved since LDAP server for company 1 may be down sometimes, but we are not concerned with that anymore and hence enabling failover for LDAPs.
Please let me know if this can be already achieved by any means. Or if there is any workaround for the same.
Regards,
Ajinkya Thakare
5 years, 3 months
add custom attribute with admin rest api
by Achraf Dely
hello,
i need to create protocol mapper in order to map custom attribute to a user
with keycloak admin rest api (java).can you give me exemple or guide.and
think you.
5 years, 3 months
Execution Flow
by Stuart
Hi All,
I'm a little confused with configuring alternative execution flows.
I currently have the follow configured.
Cookie
Username Password Form
TOTP Configured? <- Alternative
OTP Form <- Optional
No, SMS then <- Alternative
SMS Auth <- Optional
As you can guess, I want SMS auth to trigger if OTP is not configured.
At the moment it seem that if OTP isn't configured, the OTP Form is skipped
and authentication is successful and SMS is skipped. Is there a way to
tell keycloak the if OTP is not configured then the 'TOTP Configured?'
execution flow has failed, so the 'No, SMS then' execution flow is actioned?
Thanks,
Stuart.
5 years, 3 months
Obtaining JWT of a User
by İlhan Subaşı
As admin of a Keycloak server, can I obtain access-token of a particular
user without knowing his password? Unfortunately impersonation doesn't
help me because it does not contain neither his id nor his username.
5 years, 3 months
Unable to set relative redirect URIs
by Guy Marom
Hello,
If I understand the docs correctly defining a client like this should work:
[image: image.png]
For me it doesn't, unless I actually set the Root URL to the domain name.
Using Keycloak 4.6.0
Thanks
5 years, 3 months
Support multiple authentication in a single war
by Kavis Pandey
Hi,
We have JSP+Servlet application (running on wildfly-10) that is
configured with Keycloak using keycloak-wildfly adapter. We have used
multi-tenancy feature of Keycloak and create the Keycloak Deployment
object during runtime by implementing KeycloakConfigResolver. That
works fine.
Now we have a requirement where our application needs to fall-back to
FORM based authentication instead of Keycloak based on certain
conditions. So basically we need to support multiple authentication
mechanisms during runtime (BASIC + KEYCLOAK)
Is it possible ?
Thanks in advance,
Kavis
5 years, 3 months
Password Policy Question
by Dmitriy
Is there a way to customize password from within a realm?
For example, if i have some users that have O365 accounts linked in
keycloak with external IDP & have their own password rotation policies. I
do not want to prompt such users to change the password. While keycloak
manages accounts for those users that do not have O365 account & I would
like to enforce policy in those instances.
Any ideas would be appreciated.
Thank you
5 years, 3 months
Creating a Keycloak Admin Client without a Password
by Chris Smith
Use case
* The realm is federated with Active Directory
* An end user creates him or herself using the standard out of the box kc self-service support
* The only app they access is an web app for completing their registration.
* This web app server (Tomcat) is running as a Active Directory Domain Admin.
* This active directory Domain Admin is also a Realm Admin in Keycloak
* All the info needed about the end user to complete their registration is available as odic claims and values entered by the user in the web app
* The web app uses the Keycloak Admin Client to complete the user setup.
* The Keycloak Admin Client is currently instantiated with an embedded the userid and password for the Realm Admin
I really do not like having the AD Domain Admin user and password embedded in the web app.
The same AD Admin user is configured into the KC AD LDAP/Kerberos federation with a Kerberos keytab file.
Can the Keycloak Admin Client be instantiated from the AD Domain Admin running the Web App?
Any AD experts have any recommendation about what are the minimum AD admin rights needed for the ad User running the Web App server and AD LDAP/Kerberos federation?
5 years, 3 months
