2:27 p.m.
Hey Ed,
Ouch, bad NetIQ :-( apparently it considers the signature on the request as
something unexpected, which it really shouldn't...
However, you should be able to configure the signing certificate of
Keycloak on the NetIQ side (which you needed to do anyway for the
validation of the Logout requests) and make it "require" or "expect"
signed
authentication requests from the Keycloak SP.
Hans.
On Mon, Jan 28, 2019 at 9:11 PM <keycloak-user-request(a)lists.jboss.org>
wrote:
------------------------------
Message: 3
Date: Mon, 28 Jan 2019 16:16:20 +0000
From: "Edgar Vonk - Info.nl" <Edgar(a)info.nl>
Subject: Re: [keycloak-user] Keycloak Identity provider SAML
LogoutRequest not working with NetIQ Access Manager because it is
not
signed?
To: keycloak-user <keycloak-user(a)lists.jboss.org>
Message-ID: <B72F6570-E06C-4292-969D-0B0359230CA4(a)info.nl>
Content-Type: text/plain; charset="utf-8"
Thanks Hans! :-)
Unfortunately with "Want AuthnRequests Signed? enabled we can no longer
log in to the external IdP.. I will check with the NetIQ provider people to
check.
------------------------------
Message: 4
Date: Mon, 28 Jan 2019 14:51:26 -0200
From: Wagner <wagnerspi(a)gmail.com>
Subject: [keycloak-user] Keycloak integration with django
To: keycloak-user(a)lists.jboss.org
Message-ID:
<CAO0ino=
wK-opo1H7cc4XgH5U012jN2eCUvvE8_6qoFv+ZKQ5MA(a)mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Hi there,
I've been looking for ways to integrate keycloak with django, and have
found the django-keycloak project, but the docs are kind of limited.
Can anyone point me in the direction of integrating it with an existing
django project? I don't want to use the django admin web interface to
configure it, but haven't found any other way to do so.
Thanks,
Wagner
------------------------------
Message: 5
Date: Mon, 28 Jan 2019 13:04:58 -0500
From: Nhut Thai Le <ntle(a)castortech.com>
Subject: [keycloak-user] OsgiJaxrsBearerTokenFilterImpl init resolver
class on every request
To: keycloak-user <keycloak-user(a)lists.jboss.org>
Message-ID:
<CAJVRZt9SmNO0jmt9jAFMB9eD+ZMSjJij+=EO1j7F=
iE6nGV0JQ(a)mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Hello,
We are using OsgiJaxrsBearerTokenFilterImpl of keycloak 4.6 in our OSGI env
to filter requests to our REST service as follow:
@Component(
service = {
ContainerRequestFilter.class,
ContainerResponseFilter.class
},
scope = ServiceScope.PROTOTYPE,
property = {
"osgi.jaxrs.extension=true",
JAX_RS_NAME + "=DiagramRestFilter",
DiagramConstants.REST_APP_SELECT
}
)
@PreMatching
@Priority(Priorities.AUTHENTICATION)
public final class DiagramRestFilter extends OsgiJaxrsBearerTokenFilterImpl
implements ContainerResponseFilter {
private static final String REFERER_HEADER = "Referer"; //$NON-NLS-1$
private static final String UTF_8_CHARSET = "UTF-8"; //$NON-NLS-1$
private final Logger log = LoggerFactory.getLogger(getClass());
@Reference
private SessionService sessionService;
@Activate
public void activate(BundleContext bundleContext) {
log.trace("Activating {}", getClass()); //$NON-NLS-1$
setKeycloakConfigResolverClass("com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver");
//$NON-NLS-1$
setBundleContext(bundleContext);
}
As you can see, we set the filter scope to Prototype as recommended by OSGI
compedium (
https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#d0e133685
)
but we see a lot of the following line got printed when the server started
INFO: Using
com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver@738e48f7
to resolve Keycloak configuration on a per-request basis.
Does that means the config resolver is being instantiate for each request ?
Since the the configuration never change, would it make sense to
instantiate this config resolver only once?
Thai Le
------------------------------
Message: 6
Date: Mon, 28 Jan 2019 21:00:02 +0100
From: Marek Posolda <mposolda(a)redhat.com>
Subject: Re: [keycloak-user] User sessions in DB
To: Lukasz Lech <l.lech(a)ringler.ch>, "keycloak-user(a)lists.jboss.org"
<keycloak-user(a)lists.jboss.org>
Message-ID: <1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01(a)redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
On 28/01/2019 16:30, Lukasz Lech wrote:
> Hello,
>
> I'm using Keycloak docker image for 4.8.1
>
> I have logged in users, but in DB, I see no entries in user_session.
That is expected. The USER_SESSION table is probably something like a
tombstone of some previous implementation. User sessions are not saved
in the DB.
>
> Additionally, after some time server run, I've got NPE in
RealmAdminResource.getClientSessionStats:614 when trying to navigate to
Sessions position in Menu in Admin Console.
Looks like a bug. Feel free to create JIRA (with stacktrace and ideally
exact steps to reproduce).
Thanks,
Marek
>
> Are there any issues with JPA cache?
>
> Best regards,
> Lukasz Lech
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
------------------------------
Message: 7
Date: Mon, 28 Jan 2019 21:07:05 +0100
From: Marek Posolda <mposolda(a)redhat.com>
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
not in Active Directory domain
To: Dmitry Telegin <dt(a)acutus.pro>, Chris Smith
<chris.smith(a)cmfirstgroup.com>, "keycloak-user(a)lists.jboss.org"
<keycloak-user(a)lists.jboss.org>
Message-ID: <8eb89cb9-f64f-c9c9-a681-4f2a775eaf67(a)redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
+1
GSSCredential is used just during SPNEGO authentication. You may
possibly change the built-in authentication flows or userStorage
provider, so that after verification with username/password, the
GSSCredential will be somehow obtained from the JAAS Subject used for
the authentication (See class KerberosUsernamePasswordAuthenticator for
the details).
However I am not sure if this is really possible and it will require
some more deep-dive into the Keycloak codebase and Kerberos
implementation in JDK... Just a hint...
Marek
On 28/01/2019 07:21, Dmitry Telegin wrote:
> Hello Chris,
>
> AFAIK GSSCredential is something very specific to Kerberos, so I'm not
sure it's possible at all to obtain it outside of Kerberos context, like
e.g. via pure LDAP authentication.
>
> Cheers,
> Dmitry
>
> On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
>> Does anyone have feedback about getting a delegated GSSCredential?
>>
>> -----Original Message-----
>>> From: keycloak-user-bounces(a)lists.jboss.org <
keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith
>> Sent: Wednesday, January 23, 2019 10:12 PM
>> To: keycloak-user(a)lists.jboss.org
>> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
not in Active Directory domain
>>
>> Here is a Diagram of what I'm trying to do
>>
>> From: Chris Smith
>> Sent: Wednesday, January 23, 2019 8:08 AM
>>>> To: 'keycloak-user(a)lists.jboss.org'
<keycloak-user(a)lists.jboss.org>
>> Subject: Get a GSSCredential when user browser is not in Active
Directory domain
>>
>> I have setup my servlet to authenticate a user my web app using
Keycloak Active Directory ldap user federation
>>
>> I can get a Delegated GSSCredential when the SPNEGO enabled
browser??runs on a workstation in the AD domain.
>> When the browser workstation is not a member of the AD Domain, Keycloak
will authenticate the user id and password entered on the keycloak login
page, but there will not be a Delegated GSSCredential in the Access Token
in my servlet.
>>
>> I have a requirement to use the GSSCredential to call programs on an
IBM i (AS/400) and JDBC to the IBM i.??My IBM i is configured to accept a
Kerberos Ticket from Active Directory as an authenticated credential (aka
EIM, Enterprise Identity Mapping).
>>
>> Less than 1% of the users will be using browsers on workstations in the
Active Directory domain.
>>
>> Can Keycloak put a GSSCredential for the logged in user??in the Access
Token when SPNEGO is not available from the browser?
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
------------------------------
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
End of keycloak-user Digest, Vol 61, Issue 39
*********************************************
--
hans.zandbelt(a)zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
2:29 p.m.
New subject: Keycloak Identity provider SAML LogoutRequest not working with NetIQ Access Manager because it is not signed?
with corrected subject now
On Mon, Jan 28, 2019 at 9:27 PM Hans Zandbelt <hans.zandbelt(a)zmartzone.eu>
wrote:
Hey Ed,
Ouch, bad NetIQ :-( apparently it considers the signature on the request
as something unexpected, which it really shouldn't...
However, you should be able to configure the signing certificate of
Keycloak on the NetIQ side (which you needed to do anyway for the
validation of the Logout requests) and make it "require" or "expect"
signed
authentication requests from the Keycloak SP.
Hans.
On Mon, Jan 28, 2019 at 9:11 PM <keycloak-user-request(a)lists.jboss.org>
wrote:
>
> ------------------------------
>
> Message: 3
> Date: Mon, 28 Jan 2019 16:16:20 +0000
> From: "Edgar Vonk - Info.nl" <Edgar(a)info.nl>
> Subject: Re: [keycloak-user] Keycloak Identity provider SAML
> LogoutRequest not working with NetIQ Access Manager because it is
> not
> signed?
> To: keycloak-user <keycloak-user(a)lists.jboss.org>
> Message-ID: <B72F6570-E06C-4292-969D-0B0359230CA4(a)info.nl>
> Content-Type: text/plain; charset="utf-8"
>
> Thanks Hans! :-)
>
> Unfortunately with "Want AuthnRequests Signed? enabled we can no longer
> log in to the external IdP.. I will check with the NetIQ provider people to
> check.
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 28 Jan 2019 14:51:26 -0200
> From: Wagner <wagnerspi(a)gmail.com>
> Subject: [keycloak-user] Keycloak integration with django
> To: keycloak-user(a)lists.jboss.org
> Message-ID:
> <CAO0ino=
> wK-opo1H7cc4XgH5U012jN2eCUvvE8_6qoFv+ZKQ5MA(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi there,
>
> I've been looking for ways to integrate keycloak with django, and have
> found the django-keycloak project, but the docs are kind of limited.
>
> Can anyone point me in the direction of integrating it with an existing
> django project? I don't want to use the django admin web interface to
> configure it, but haven't found any other way to do so.
>
> Thanks,
> Wagner
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 28 Jan 2019 13:04:58 -0500
> From: Nhut Thai Le <ntle(a)castortech.com>
> Subject: [keycloak-user] OsgiJaxrsBearerTokenFilterImpl init resolver
> class on every request
> To: keycloak-user <keycloak-user(a)lists.jboss.org>
> Message-ID:
> <CAJVRZt9SmNO0jmt9jAFMB9eD+ZMSjJij+=EO1j7F=
> iE6nGV0JQ(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hello,
>
> We are using OsgiJaxrsBearerTokenFilterImpl of keycloak 4.6 in our OSGI
> env
> to filter requests to our REST service as follow:
>
> @Component(
> service = {
> ContainerRequestFilter.class,
> ContainerResponseFilter.class
> },
> scope = ServiceScope.PROTOTYPE,
> property = {
> "osgi.jaxrs.extension=true",
> JAX_RS_NAME + "=DiagramRestFilter",
> DiagramConstants.REST_APP_SELECT
> }
> )
> @PreMatching
> @Priority(Priorities.AUTHENTICATION)
> public final class DiagramRestFilter extends
> OsgiJaxrsBearerTokenFilterImpl
> implements ContainerResponseFilter {
> private static final String REFERER_HEADER = "Referer"; //$NON-NLS-1$
> private static final String UTF_8_CHARSET = "UTF-8"; //$NON-NLS-1$
> private final Logger log = LoggerFactory.getLogger(getClass());
>
> @Reference
> private SessionService sessionService;
>
> @Activate
> public void activate(BundleContext bundleContext) {
> log.trace("Activating {}", getClass()); //$NON-NLS-1$
>
>
setKeycloakConfigResolverClass("com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver");
> //$NON-NLS-1$
> setBundleContext(bundleContext);
> }
>
> As you can see, we set the filter scope to Prototype as recommended by
> OSGI
> compedium (
>
> https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#d0e133685
> )
> but we see a lot of the following line got printed when the server started
> INFO: Using
>
> com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver@738e48f7
> to resolve Keycloak configuration on a per-request basis.
>
> Does that means the config resolver is being instantiate for each request
> ?
> Since the the configuration never change, would it make sense to
> instantiate this config resolver only once?
>
> Thai Le
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 28 Jan 2019 21:00:02 +0100
> From: Marek Posolda <mposolda(a)redhat.com>
> Subject: Re: [keycloak-user] User sessions in DB
> To: Lukasz Lech <l.lech(a)ringler.ch>,
"keycloak-user(a)lists.jboss.org"
> <keycloak-user(a)lists.jboss.org>
> Message-ID: <1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01(a)redhat.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 28/01/2019 16:30, Lukasz Lech wrote:
> > Hello,
> >
> > I'm using Keycloak docker image for 4.8.1
> >
> > I have logged in users, but in DB, I see no entries in user_session.
> That is expected. The USER_SESSION table is probably something like a
> tombstone of some previous implementation. User sessions are not saved
> in the DB.
> >
> > Additionally, after some time server run, I've got NPE in
> RealmAdminResource.getClientSessionStats:614 when trying to navigate to
> Sessions position in Menu in Admin Console.
>
> Looks like a bug. Feel free to create JIRA (with stacktrace and ideally
> exact steps to reproduce).
>
> Thanks,
> Marek
>
> >
> > Are there any issues with JPA cache?
> >
> > Best regards,
> > Lukasz Lech
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 28 Jan 2019 21:07:05 +0100
> From: Marek Posolda <mposolda(a)redhat.com>
> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
> not in Active Directory domain
> To: Dmitry Telegin <dt(a)acutus.pro>, Chris Smith
> <chris.smith(a)cmfirstgroup.com>,
"keycloak-user(a)lists.jboss.org"
> <keycloak-user(a)lists.jboss.org>
> Message-ID: <8eb89cb9-f64f-c9c9-a681-4f2a775eaf67(a)redhat.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> +1
>
> GSSCredential is used just during SPNEGO authentication. You may
> possibly change the built-in authentication flows or userStorage
> provider, so that after verification with username/password, the
> GSSCredential will be somehow obtained from the JAAS Subject used for
> the authentication (See class KerberosUsernamePasswordAuthenticator for
> the details).
>
> However I am not sure if this is really possible and it will require
> some more deep-dive into the Keycloak codebase and Kerberos
> implementation in JDK... Just a hint...
>
> Marek
>
> On 28/01/2019 07:21, Dmitry Telegin wrote:
> > Hello Chris,
> >
> > AFAIK GSSCredential is something very specific to Kerberos, so I'm not
> sure it's possible at all to obtain it outside of Kerberos context, like
> e.g. via pure LDAP authentication.
> >
> > Cheers,
> > Dmitry
> >
> > On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
> >> Does anyone have feedback about getting a delegated GSSCredential?
> >>
> >> -----Original Message-----
> >>> From: keycloak-user-bounces(a)lists.jboss.org <
> keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith
> >> Sent: Wednesday, January 23, 2019 10:12 PM
> >> To: keycloak-user(a)lists.jboss.org
> >> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
> not in Active Directory domain
> >>
> >> Here is a Diagram of what I'm trying to do
> >>
> >> From: Chris Smith
> >> Sent: Wednesday, January 23, 2019 8:08 AM
> >>>> To: 'keycloak-user(a)lists.jboss.org'
<keycloak-user(a)lists.jboss.org>
> >> Subject: Get a GSSCredential when user browser is not in Active
> Directory domain
> >>
> >> I have setup my servlet to authenticate a user my web app using
> Keycloak Active Directory ldap user federation
> >>
> >> I can get a Delegated GSSCredential when the SPNEGO enabled
> browser??runs on a workstation in the AD domain.
> >> When the browser workstation is not a member of the AD Domain,
> Keycloak will authenticate the user id and password entered on the keycloak
> login page, but there will not be a Delegated GSSCredential in the Access
> Token in my servlet.
> >>
> >> I have a requirement to use the GSSCredential to call programs on an
> IBM i (AS/400) and JDBC to the IBM i.??My IBM i is configured to accept a
> Kerberos Ticket from Active Directory as an authenticated credential (aka
> EIM, Enterprise Identity Mapping).
> >>
> >> Less than 1% of the users will be using browsers on workstations in
> the Active Directory domain.
> >>
> >> Can Keycloak put a GSSCredential for the logged in user??in the Access
> Token when SPNEGO is not available from the browser?
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 61, Issue 39
> *********************************************
>
--
hans.zandbelt(a)zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
--
hans.zandbelt(a)zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
2173
days inactive
2173
days old
1 comments
1 participants
participants (1)
-
Hans Zandbelt