Additional jpaConnectionProvider for UserFederation via database
by Matuszak, Eduard
Hello
I am trying to implement a userfederation-provider based on a jpa-connection. My approach was:
According to an additional datasource-defintion for the federated DB in the standalone.xml
<datasource jta="true" jndi-name="java:jboss/datasources/CCPDS" pool-name="CCPDS" enabled="true" use-ccm="true">
<connection-url>jdbc:oracle:thin:@servername:1521:schemaname</connection-url>
..
, I tried to register this datasource as an additional connectionJpa-entry in keycloak-server.json as follows:
..
"connectionsJpa": {
"default": {
"dataSource": "java:jboss/datasources/CCPKCDS",
"databaseSchema": "update"
},
"FED-DB": {
"dataSource": "java:jboss/datasources/CCPDS"
}
},
..
According to these configuration I hoped to be able to establish the appropriate entity manager by coding:
// Get the appropriate entity manager from the KeycloakSession
EntityManager em = session.getProvider(JpaConnectionProvider.class, "FED-DB").getEntityManager();
This did not work, indeed there is still only one (default) JpaConnectionProvider available in the session (JpaConnectionProviderList size is 1):
Set<JpaConnectionProvider> JpaConnectionProviderList = session.getAllProviders(JpaConnectionProvider.class);
My question is: isn't it in principle possible to register a second jpaConnector additionally to the default one or is there something missing or wrong in my approach?
Thanks for any help in advance.
Best regards, Eduard Matuszak
Dr. Eduard Matuszak
Worldline, an atos company
T +49 (211)399 398 63
M +49 (163)166 23 67
F +49(211) 399 22 430
eduard.matuszak(a)atos.net<mailto:eduard.matuszak@atos.net>
Max-Stromeyer-Straße 116
78467 Konstanz
Germany
de.worldline.com<http://worldline.com/de/1/Home.html>
worldline.jobs.de<http://worldline.jobs.de>
facebook.com/WorldlineKarriere<http://www.facebook.com/WorldlineKarriere>
Worldline GmbH
Geschäftsführer: Wolf Kunisch
Aufsichtsratsvorsitzender: Christophe Duquenne
Sitz der Gesellschaft: Frankfurt/Main
Handelsregister: Frankfurt/Main HRB 40 417
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail by error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and shall not be liable for any damages resulting from any virus transmitted.
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
9 years, 11 months
Accessing authenticated user's details
by Tim Dudgeon
In the case of a web application (e.g. Tomcat app secured by the
keycloak adapter) the web app might need to access details of the
authenticated user (e.g. full name or email).
I've found that this information is available from the session like this:
KeycloakSecurityContext session =
(KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());
IDToken idToken = session.getIdToken();
String email = idToken.getEmail();
One issue with this is that all your web apps are tied to keycloak.
Is this the right way to handle this?
Are there alternatives?
Tim
10 years, 1 month
Multivalued user attributes mapping
by Sascha Skorupa
Hi,
we are currently evaluating Keycloak as IDM solution for our company. In doing so we encountered the following questions according to storing authorization data:
1) In the "Mapper" section it is possible to configure how user attributes are mapped to tokens/claims. It is also possible to turn on "Multivalued" mapping, so that every value of one attribute is set as claim. But, how you can configure multiple values for one attribute? If you save another value with the same key the existing one is overwritten.
2) One of requirements is to persist custom authorization data hierarchically and to map this data into access tokens. Is there any recommendation how to realize this in keycloak or is the only way to use flat user attributes (key/value).
Thanks, Sascha
10 years, 1 month
Failed to import IDP meta data into keycloak
by Mai Zi
Hi, there,
1) We failed to import idp meta data into keycloak (see attachment for the sample xml). Pls help taka a look what's going on.
2) Suppose we can not import the metadata , based on the sample xml given in the attachment, which fields should we fill?
3) In the user guide, there is one sentence: "Once you create a SAML provider, there is an EXPORT button that appears when viewing that provider. Clicking this button will export a SAML entity descriptor which you can use to"
Here "That provider" means the keycloak as a SP provider ? From the demo exported data , it seems so. Am I right?
To work with the 3rd party IDP, we should provide the exported metadata to idp, shouldn't we?
I am not familiar with saml concept so any help will be greatly appreciated.
Mai
10 years, 1 month
info about sso without login prompt
by Notarnicola, Mara
Dear all,
I'm using keycloak js adapter in order to log in user into an application.
I need to integrate a previous system of authentication with this new one.
To do this, I use user's credentials passed by the old system, to automatically retrieve keycloak grant calling the related web service.
So I have the session data but I'm not able to use single-sign-on in fact when I open another tab the user isn't logged in anymore.
I need to know if there is a way to create a sso session, if I must use cookies or browser local storage.
Thank you for your time
Sincerely,
Marianna Notarnicola
10 years, 1 month
Login from Native App.
by Revanth Ayalasomayajula
Hi,
I am using Keycloak1.5.0 to secure my applications and have an android
application that requests data from these applications and displays that
information. I wanted to know if it possible using keycloak that after a
user log's in, that user persists forever like in Gmail android app where
in it never asks the user to login again once he log's in.
Thanks.
10 years, 1 month
