Problem using SAML IdP
by Jérôme Blanchard
Hi,
I'm trying to integrate keycloak into a the french research federation of
identity (renater) and I'm facing some problems.
Actually, when IdP respond to keycloak i'm getting the following error :
PL00084: Writer: Unsupported Attribute
Value:org.keycloak.dom.saml.v2.assertion.NameIDType
It seems that this IdP is using transient NameID policy only and using the
unspecified field in the idp config in keycloak generate this exception as
a return.
Log of the keycloak server is joined.
I have no idea of what happening because when I was using the test
federation, everything was working but no I'm in the production federation,
login fails.
The renater federation is using Shibolleth and keycloak is not supported by
federation moderators so I'm alone in the dark now...
Renater provides an IdP list that I have to parse and synchronized with IdP
in keycloak. As a return I provide a list of all endpoints for each
keycloak registered IdP to allow federation IdP to answear correctly to the
right endpoint. All of this is done by a small web app deployed aside
keycloak and using REST API to synchronize all the IdP.
One of the IdP entity descriptor is joined. As you can see, only transient
nameid policy is supported and if I configure keycloak to use email or
persistent, I received a response saying that the nameid is not supported :
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="
https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa..."
Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO"
ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://demo-auth.ortolang.fr/auth/realms/ortolang</saml:Issuer><samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="
https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa..."
ID="_9d03761957aade819b6823c35bbab278"
InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"><saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://janus.cnrs.fr/idp</saml2:Issuer><saml2p:Status><saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required
NameID format not
supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response>
Any help would be gracefully appreciated.
Thanks a lot, Jérôme.
8 years, 10 months
KEYCLOAK w/ NGINX Reverse Proxy
by Christopher Wallace
Community, I have spent a decent amount of time attempting to get KEYCLOAK
behind an NGINX Reverse Proxy to protect a TOMCAT Application. It does work
without the proxy, but I need the proxy to handle certificates. I think I
am pretty close to having it working, but somethings seems to be missing...
I have done the following. I appreciate any insight you may have as I think
I have exhausted other resources.
*1. Configure a server in NGINX*
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/certs/dcf30de94f28f16f.crt;
ssl_certificate_key /etc/ssl/certs/*.domain.key;
server_name sso2. domain.com;
access_log /var/log/nginx/nginx.sso.access.log;
error_log /var/log/nginx/nginx.sso.error.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
proxy_pass http://internalip:8080;
}
}
*2. Enable SSL on a Reverse Proxy*
First add proxy-address-forwarding and redirect-socket to the http-listener
element:
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
...
<http-listener name="default" socket-binding="http"
proxy-address-forwarding="true" redirect-socket="proxy-https"/>
...
</subsystem>
Then add a new socket-binding element to the socket-binding-group element:
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="proxy-https" port="443"/>
...
</socket-binding-group>
*RECIVE THE FOLLOWING ERROR in TOMCAT:*
1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator -
failed to turn code into token
org.apache.http.conn.HttpHostConnectException: Connection to
https://sso2.domain.com refused
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190)
~[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
~[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
~[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
~[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
~[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
~[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
~[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
~[httpclient-4.2.1.jar:4.2.1]
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90)
~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297)
[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243)
[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95)
[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189)
[keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]
at
org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28)
[keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
[lib/:na]
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170)
[keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
[lib/:na]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
[lib/:na]
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
[lib/:na]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
[lib/:na]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
[lib/:na]
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086)
[tomcat-coyote.jar:8.0.18]
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659)
[tomcat-coyote.jar:8.0.18]
at
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223)
[tomcat-coyote.jar:8.0.18]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
[tomcat-coyote.jar:8.0.18]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
[tomcat-coyote.jar:8.0.18]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[na:1.8.0_25]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[na:1.8.0_25]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util.jar:8.0.18]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25]
Caused by: java.net.ConnectException: Connection timed out
at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25]
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345)
~[na:1.8.0_25]
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
~[na:1.8.0_25]
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
~[na:1.8.0_25]
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_25]
at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25]
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649)
~[na:1.8.0_25]
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549)
~[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
~[httpclient-4.2.1.jar:4.2.1]
... 29 common frames omitted
8 years, 10 months
retrieving group membership info from LDAP/AD
by Mahantesh Prasad Katti
Hi All,
In our application, we integrate with Microsoft AD for authenticating users. As part of the authentication result, we also fetch group information for the user authenticated. We also have a pre-defined group-role mapping defined in the application server [This is a JEE configuration file]. This helps decide whether a particular user based on the role he belongs to can access a resource or not. I read another thread "Apply group membership filter on ldap login <http://lists.jboss.org/pipermail/keycloak-user/2015-December/003982.html> " on similar lines. Couple of clarifications.
1. Based on what I read there is no feature to get roles and map them to specific roles in keycloak and would be available in a future release. I just wanted to understand if my reading of this is on the right lines. Also, wanted to know if there's a workaround for this in the short term.
2. Also does keycloak provide fine grained access control on the lines of apache shiro?
Thanks
Prasad
8 years, 10 months
Adapter 1.3.1 on EAP 6.3.2
by Mitja Strojanšek
We have REST services on EAP 6.3.2 with adapter 1.3.1 and gateway server
WF 8.2 with 1.3.1 server. This configuration doesn't work. Our test case
works on WF 8.2 server with adapter 1.3.1.
Does anybody has idea, why it shouldn't work also with EAP 6.3.2? Are
there any incompatibilities?
--
*Mitja*
8 years, 10 months
Re: [keycloak-user] Different theme for each client
by Travis De Silva
Hi,
My vote is to provide this feature at a client level as per the original
request.
I think realms should be used for completely different domains when we want
to isolate users etc. Should not try and use it for something that it was
not intended in the design.
The reason why you might need theming at client level is iif you really
think that clients which are essentially different applications most of the
time and each of these applications might have different look and feel
themes (either due to different development teams or vendors building
different applications).
So when someone logins via KeyCloak, its true that we are logging into a
realm but for an end user, it is really logging into a application and
there is a need for the login page theme to look similar to the application
look and feel.
Also I have a use case where I have a back office application that requires
login for admin users and then I have the front office of this application
where in addition to the admin users, you also can have other users as well
who can self register and login to the front end which is a consumer facing
site.
How I handle this is by having two clients in the same realm. This works
fine if you are happy with the same backend login theme to be there for the
consumer facing frontend. But we cannot do that as the front end is a
consumer facing SaaS site, so each front end needs to have the client's
website theme. This becomes very hard to do if we don't have theming at a
client level.
I came across this post from Bill a few months ago
http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html
I am thinking to make use of the client variable that is available in
login.ftl and load different freemarker fragments that will then theme it
differently for each client. As mentioned by Bill, having many if
conditions might not be ideal but it might meet the requirement.
Cheers
Travis
8 years, 10 months
Additional jpaConnectionProvider for UserFederation via database
by Matuszak, Eduard
Hello
I am trying to implement a userfederation-provider based on a jpa-connection. My approach was:
According to an additional datasource-defintion for the federated DB in the standalone.xml
<datasource jta="true" jndi-name="java:jboss/datasources/CCPDS" pool-name="CCPDS" enabled="true" use-ccm="true">
<connection-url>jdbc:oracle:thin:@servername:1521:schemaname</connection-url>
..
, I tried to register this datasource as an additional connectionJpa-entry in keycloak-server.json as follows:
..
"connectionsJpa": {
"default": {
"dataSource": "java:jboss/datasources/CCPKCDS",
"databaseSchema": "update"
},
"FED-DB": {
"dataSource": "java:jboss/datasources/CCPDS"
}
},
..
According to these configuration I hoped to be able to establish the appropriate entity manager by coding:
// Get the appropriate entity manager from the KeycloakSession
EntityManager em = session.getProvider(JpaConnectionProvider.class, "FED-DB").getEntityManager();
This did not work, indeed there is still only one (default) JpaConnectionProvider available in the session (JpaConnectionProviderList size is 1):
Set<JpaConnectionProvider> JpaConnectionProviderList = session.getAllProviders(JpaConnectionProvider.class);
My question is: isn't it in principle possible to register a second jpaConnector additionally to the default one or is there something missing or wrong in my approach?
Thanks for any help in advance.
Best regards, Eduard Matuszak
Dr. Eduard Matuszak
Worldline, an atos company
T +49 (211)399 398 63
M +49 (163)166 23 67
F +49(211) 399 22 430
eduard.matuszak(a)atos.net<mailto:eduard.matuszak@atos.net>
Max-Stromeyer-Straße 116
78467 Konstanz
Germany
de.worldline.com<http://worldline.com/de/1/Home.html>
worldline.jobs.de<http://worldline.jobs.de>
facebook.com/WorldlineKarriere<http://www.facebook.com/WorldlineKarriere>
Worldline GmbH
Geschäftsführer: Wolf Kunisch
Aufsichtsratsvorsitzender: Christophe Duquenne
Sitz der Gesellschaft: Frankfurt/Main
Handelsregister: Frankfurt/Main HRB 40 417
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail by error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and shall not be liable for any damages resulting from any virus transmitted.
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
8 years, 11 months
Spring Security annotation problem
by Andrey Saroul
Hello! I'm just a begginer in Spring Security, but I would like to know is
it possible to configure keycloak in a way that I can use @PreAuthorize,
@PostAuthorize, @Secured and other annotations.
For example, I've configured the keycloak-spring-security-adapter and
Spring Security in my simple Spring Rest webapp so that I have access to
Principal object in my controller, like this:
@RestController
public class TMSRestController {
@RequestMapping("/greeting")
public Greeting greeting(Principal principal,
@RequestParam(value="name") String name) {
return new Greeting(String.format(template, name));
}
...
}
But when I try this (just an example, actually I want to execute custom EL
expression before authorization):
@RestController
public class TMSRestController {
@RequestMapping("/greeting")
@PreAuthorize("hasRole('ADMIN')")
public Greeting greeting(Principal principal,
@RequestParam(value="name") String name) {
return new Greeting(String.format(template, name));
}
...
}
... I get
exception: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
An Authentication object was not found in the SecurityContext
What do I need to make this spring security annotations work?
8 years, 11 months
Login Rest Service Service Delay
by Satyajit Das
Hi Team,
We are using login restful service of 1.4.0 final version.
Sometimes the login takes quite some time(around 15 secs) to fetch the
token id given back by login service.
On subsequent call for login rest service takes very less time(75 milisecs)
This is a complete random behavior.
Kindly let me know how to overcome this issue.
below is the snap of Token timeouts.
[image: Inline image 1]
Regards,
Satya.
8 years, 11 months
Re: [keycloak-user] keycloak-user Digest, Vol 24, Issue 111
by Niels Bertram
+1 we have similar requirements where we like to use different themes for
hybrid mobile app clients and traditional responsive web (site) clients
Date: Thu, 31 Dec 2015 10:49:28 +0200
From: Thomas Raehalme <thomas.raehalme(a)aitiofinland.com>
Subject: Re: [keycloak-user] Different theme for each client
To: keycloak-user <keycloak-user(a)lists.jboss.org>
Message-ID:
<CAPyAMobFqJRKzfJdN9=-EUTxUKPr68vCwuwuKzQ9rwaoO6tuoA(a)mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
+1 as I have a similar use-case from a customer.
On Thu, Dec 31, 2015 at 10:46 AM, Travis De Silva <traviskds(a)gmail.com>
wrote:
> Hi,
>
> My vote is to provide this feature at a client level as per the original
> request.
>
> I think realms should be used for completely different domains when we
> want to isolate users etc. Should not try and use it for something that it
> was not intended in the design.
>
> The reason why you might need theming at client level is iif you really
> think that clients which are essentially different applications most of
the
> time and each of these applications might have different look and feel
> themes (either due to different development teams or vendors building
> different applications).
>
> So when someone logins via KeyCloak, its true that we are logging into a
> realm but for an end user, it is really logging into a application and
> there is a need for the login page theme to look similar to the
application
> look and feel.
>
> Also I have a use case where I have a back office application that
> requires login for admin users and then I have the front office of this
> application where in addition to the admin users, you also can have other
> users as well who can self register and login to the front end which is a
> consumer facing site.
>
> How I handle this is by having two clients in the same realm. This works
> fine if you are happy with the same backend login theme to be there for
the
> consumer facing frontend. But we cannot do that as the front end is a
> consumer facing SaaS site, so each front end needs to have the client's
> website theme. This becomes very hard to do if we don't have theming at a
> client level.
>
> I came across this post from Bill a few months ago
> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html
>
> I am thinking to make use of the client variable that is available in
> login.ftl and load different freemarker fragments that will then theme it
> differently for each client. As mentioned by Bill, having many if
> conditions might not be ideal but it might meet the requirement.
>
> Cheers
> Travis
8 years, 11 months