I like to use Salesforce as Identity Provider, the metadata provided by salesforce can be imported.
But I need to specify the Service Provider in salesforce, I have to fill in a couple of fields, but two of them I don’t understand (and are mandatory). Does someone have any clue
1. entity id , remark of salesforce : get this value from your serviceprovider
2. ACS URL, remark of slaesforce : The assertion consumer service. Get this value from your service provider.
I have tried a lot of values but every-time I click the saml button on my app, it redirects to salesforce but I get a page with the error : Error: Unable to resolve request into a Service Provider
Im currently investigating using Keycloak as a solution to manage users, as
well as authentication and authorization.
Currently, we have a jboss Errai application, and have a relational
database of users and their encrypted password.
Is there any tutorials, or advice, on how we would migrate our users to the
Thanks and regards
connections and implemented the calls to do the basic things ( except
revoke the token) .
My code is on github https://github.com/fadiabdeen/keycloak-oauth
I was able to get a authorization code.
get a token
refresh the token
get the user information though validate
logout ( which only clears the session
I cant figure out how to revoke my access_token .. if anybody can help with
this then its great.
I'm Alex's coworker and I'll be working on this too.
We were just discussing your idea, and it seems to fit our requirements.
As far as we have seen, keycloak already has a realm-admin concept.
Whenever a realm "R" is created, it creates a R-realm application with
a bunch of default roles (manage-users, manage-roles, etc.) into the
We are currently thinking if we could mimic this structure for
applications. What do you think?
> I had an idea a while back that is a simple way to achieve what you're asking for. Th> e idea would be to only allow an admin to grant roles that the admin has access to.
> Basically:> * A user with admin (super user) role can grant any roles (we would need to add a per-> realm super user role)
> * A user with the role manage-users and some roles on app1 can only grant other users > the roles on app1
> * A user with the role manage-users and some roles on app2 can only grant other users > the roles on app2
> This is something we should add in either case (to prevent users granting
themselves more access). Would it solve your problems?
Thanks for the suggestion. I will have to adjust both timeouts according to
So is this the expected behavior of Keycloak or is there room for an
improvement? In my view, Remember Me functionality should work independent
of SSO Session Idle Timeout.
I'm trying to protect a servlet application which can be accessed either as
anonymous user and as authenticated user. Some resources are protected and
my application takes in charge the access control (not role based) so I
can't use the war protection using role user constraint.
In this case I've removed the role constraint in the web.xml and the
keycloak wildfly (undertow) adapter let me access the application as
unauthentified user (anonymous) which is perfect.
What I want to handle on some AccessDeniedException is to redirect the user
to the authentication server manually. In this case, user authentified an
come back to the protected URL but is no more anonymous but a authentified
Is ther is a way to handle this redirection to the authentication server
manually (I don't know where to store the state variable allowing keycloak
wildfly adapter to handle properly the auth redirect that include the code).
Best regards, Jérôme.
I'm trying to use Log4J for keycloak project as logging framework
since there are custom rolling appenders we have written with few value
I was referring to changing logging subsystem in wildfly (at keycloak/standalone/configuration/standalone.xml ),
but seems like I'm missing something.
How can I add a custom log4j rolling appender to Keycloak .
In section *22.1. SAML Entity Descriptor
the documentation It says that URL where you can view the XML entity
descriptor for the IDP is
but after trail and error I found that actually the URL is
So can we create a Jira request for these type of issues or there is a
I’m trying to achieve full user session replication which means when I’m logged in on node 1 and then hit node 2 then I expect to be logged in but I’m forced to log in again.
1. two localhost nodes with JBoss EAP 6.4 + War installation
3. EAP cofigured based on http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/clustering... <http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/clustering...>
<distributed-cache name="sessions" mode="SYNC" owners=“2" />
<distributed-cache name="loginFailures" mode="SYNC" owners=“2" />
<replicated-cache name="sessions" mode="SYNC"/>
<replicated-cache name="loginFailures" mode="SYNC”/>
but with same result.
I’m starting nodes by
./jb1/bin/standalone.sh --server-config=standalone-ha.xml -Djboss.node.name=node1
./jb2/bin/standalone.sh --server-config=standalone-ha.xml -Djboss.socket.binding.port-offset=100 -Djboss.node.name=node2
both jb1 and jb2 are identical and they know each other (Received new cluster view: [node1/keycloak|1] [node1/keycloak, node2/keycloak])
How do you test clustering of KC please?
jboss.org <http://jboss.org/> Development Team