I want to implement the SAML Service provider(SP) for my application. I
used picketlink earlier (servlet filter) to configure my application as
SAML SP. However, when I tried the same with Keycloak, it is not working as
expected. There is no proper documentation/example on how keycloak saml SP
configuration has to be done.
I did the following things.
1. Copied all the jar(keycloak-saml-eap6-adapter-dist) into my jboss/lib
2. Configured the security domain as below
3. I built the keycloak saml example "redirect-with-signature" and deployed.
4. I am using the picketlink as my IDP.
5. The redirect does not redirecting to my picketlink IDP.
Can some one tell how to configure keycloak SAML SP.?
we have a situation where users have applications both html5 based web and
also native iOS apps accessing from iPads
The requirement is that users access the web based application within a
iPad, which will be redirected to Keyclock IDP server for login.
Once user logins, next time, if the same user just tap on the native app
within the same device, it should not again prompt for userid/password,
rather SSO takes care of it
We need to design so that users can toggle back and forth among mobile
browser apps and mobile apps.
This is ideal for agents, sales reps, who to need to switch quickly among
programs while on the go.,
Would like to know - is this something KeyCloak with SAML 2.0 supports out
of the box please?
Thanks and Regards
can still help a poor guy Friday in the afternoon?
What is the url I need to have the sign in button pointing to, in my Spring
web app, that will ask me to login via keycloak and redirect me back
exactly to the page I made the request from?
forgot to reply to all ;-)
---------- Forwarded message ----------
From: Bystrik Horvath <bystrik.horvath(a)gmail.com>
Date: Fri, Nov 27, 2015 at 12:18 PM
Subject: Re: [keycloak-user] Limiting the admin REST API
thank you for the answer. Custom endpoint would be nicer option for me as I
would like to , e.g.: let the calling application use own set of of user
attributes (e.g.: name of the university) and remap them onto custom
attributes of user representation. Is there any way how to add own endpoint
to keycloak (when the SPI is not ready for that option)?
On Fri, Nov 27, 2015 at 12:05 PM, Stian Thorgersen <sthorger(a)redhat.com>
> Another option is that you use scope to prevent this. I imagine you will
> want to have a separate set of roles for your calling app in either case.
> In which case you make sure that you limit the scope of the clients.
> On 27 November 2015 at 12:04, Stian Thorgersen <sthorger(a)redhat.com>
>> Pressed send to early. We are planning to add an SPI to allow deploying
>> your own rest endpoints. Once we have that we can also add an option to
>> disable admin endpoints. Although the Keycloak admin console wouldn't work
>> On 27 November 2015 at 12:03, Stian Thorgersen <sthorger(a)redhat.com>
>>> In that case I'd say you should rather not deploy the admin endpoints at
>>> all and instead add your own custom endpoints.
>>> On 27 November 2015 at 11:08, Bystrik Horvath <bystrik.horvath(a)gmail.com
>>> > wrote:
>>>> Hello everyone,
>>>> I would like to limit the functionality of the admin REST API to the
>>>> calling user/application.
>>>> The motivation is not to expose the "internals" of keycloak and put
>>>> some logic between the calling app and admin REST API.
>>>> My idea was to create a simple web application deployed at keycloak
>>>> server that belongs to the same realm as calling application and realm
>>>> management application.
>>>> Would you recommend that approach? Or is there anything more suitable
>>>> (e.g.: implement it as a keycloak valve... etc.)?
>>>> Thank you for your opinions.
>>>> Best regards,
>>>> keycloak-user mailing list
> keycloak-user mailing list
I would like to limit the functionality of the admin REST API to the
The motivation is not to expose the "internals" of keycloak and put some
logic between the calling app and admin REST API.
My idea was to create a simple web application deployed at keycloak server
that belongs to the same realm as calling application and realm management
Would you recommend that approach? Or is there anything more suitable
(e.g.: implement it as a keycloak valve... etc.)?
Thank you for your opinions.
while I totally agree that any configuration of the bruteforce-detection should require the realm-management role, I’d like to raise the question if clearing failed attempts should be that restrictive.
This affects the following service endpoints:
We would like to enable callcenter agents to unlock specific users, but giving them realm-management permissions doesn't feel right. Would’t user-management be more appropriate permissions for these endpoints, or are there side effects to consider?
the email address is unique within one realm. Is there a possibility to fulfill the requirement to have different user (different usernames) for different applications within one realm which were managed and used by the same person/entity?
(gets roles for every client within the realm)
(get roles from only one client within the realm)
Is this unambiguity of the email address configurable?
Does someone have documentation on how to implement Keycloak with Google Apps ?
I tried to implement a SAML client in a Keycloak realm but I'm lost
with settings when creating one.
Tried to use the official documentation and to search on the web but
to no avail.
If someone could point me to what settings to use in the SAML client I
created, it would be great.
I already took the key generated for the realm and uploaded it to Google Apps.