IDP SAMLV2.0 with Salesforce
by Henk Laracker
Hi,
I like to use Salesforce as Identity Provider, the metadata provided by salesforce can be imported.
But I need to specify the Service Provider in salesforce, I have to fill in a couple of fields, but two of them I don’t understand (and are mandatory). Does someone have any clue
1. entity id , remark of salesforce : get this value from your serviceprovider
2. ACS URL, remark of slaesforce : The assertion consumer service. Get this value from your service provider.
I have tried a lot of values but every-time I click the saml button on my app, it redirects to salesforce but I get a page with the error : Error: Unable to resolve request into a Service Provider
Henk
10 years, 11 months
Migrating custom user database to Keycloak
by Anton Hughes
Hello
Im currently investigating using Keycloak as a solution to manage users, as
well as authentication and authorization.
Currently, we have a jboss Errai application, and have a relational
database of users and their encrypted password.
Is there any tutorials, or advice, on how we would migrate our users to the
Keycloak IDM?
Thanks and regards
Anton
11 years
OAuth
by Fadi Abdin
I just created a simple javascript app to test my oauth keycloak
connections and implemented the calls to do the basic things ( except
revoke the token) .
My code is on github https://github.com/fadiabdeen/keycloak-oauth
<https://github.com/fadiabdeen/keycloak-oauth>
I was able to get a authorization code.
get a token
refresh the token
get the user information though validate
logout ( which only clears the session
I cant figure out how to revoke my access_token .. if anybody can help with
this then its great.
Thanks
11 years
Re: [keycloak-user] Application Management
by Thiago Presa
Hi there,
I'm Alex's coworker and I'll be working on this too.
We were just discussing your idea, and it seems to fit our requirements.
As far as we have seen, keycloak already has a realm-admin concept.
Whenever a realm "R" is created, it creates a R-realm application with
a bunch of default roles (manage-users, manage-roles, etc.) into the
realm master.
We are currently thinking if we could mimic this structure for
applications. What do you think?
> I had an idea a while back that is a simple way to achieve what you're asking for. Th> e idea would be to only allow an admin to grant roles that the admin has access to.
> Basically:> * A user with admin (super user) role can grant any roles (we would need to add a per-> realm super user role)
> * A user with the role manage-users and some roles on app1 can only grant other users > the roles on app1
> * A user with the role manage-users and some roles on app2 can only grant other users > the roles on app2
>
> This is something we should add in either case (to prevent users granting
themselves more access). Would it solve your problems?
11 years
Re: [keycloak-user] Clarification on Remember Me Functionality
by Lohitha Chiranjeewa
Thanks for the suggestion. I will have to adjust both timeouts according to
my needs.
So is this the expected behavior of Keycloak or is there room for an
improvement? In my view, Remember Me functionality should work independent
of SSO Session Idle Timeout.
11 years
How touser Servlet OAuth Client
by Jérôme Blanchard
Hi all,
I'm trying to protect a servlet application which can be accessed either as
anonymous user and as authenticated user. Some resources are protected and
my application takes in charge the access control (not role based) so I
can't use the war protection using role user constraint.
In this case I've removed the role constraint in the web.xml and the
keycloak wildfly (undertow) adapter let me access the application as
unauthentified user (anonymous) which is perfect.
What I want to handle on some AccessDeniedException is to redirect the user
to the authentication server manually. In this case, user authentified an
come back to the protected URL but is no more anonymous but a authentified
user.
Is ther is a way to handle this redirection to the authentication server
manually (I don't know where to store the state variable allowing keycloak
wildfly adapter to handle properly the auth redirect that include the code).
Best regards, Jérôme.
11 years
Keycloak logging with log4j to use custom rolling appender
by Chamantha De Silva
Hi Team,
I'm trying to use Log4J for keycloak project as logging framework
since there are custom rolling appenders we have written with few value
additions.
I was referring to changing logging subsystem in wildfly (at keycloak/standalone/configuration/standalone.xml ),
but seems like I'm missing something.
How can I add a custom log4j rolling appender to Keycloak .
Best Regards,
Chamantha
11 years
Endpoints
by Fadi Abdin
Hello,
I'm wondering if there is documentation somewhere that lists the REST
services that we can use to (refresh , revoke and get profile info) ..
If anyone can help that will be great.
Thanks,
11 years
Clustering on localhost with shared DB
by Libor Krzyžanek
Hi,
I’m trying to achieve full user session replication which means when I’m logged in on node 1 and then hit node 2 then I expect to be logged in but I’m forced to log in again.
I have:
1. two localhost nodes with JBoss EAP 6.4 + War installation
2. Postgres
3. EAP cofigured based on http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/clustering... <http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/clustering...>
I triedeither
<distributed-cache name="sessions" mode="SYNC" owners=“2" />
<distributed-cache name="loginFailures" mode="SYNC" owners=“2" />
or
<replicated-cache name="sessions" mode="SYNC"/>
<replicated-cache name="loginFailures" mode="SYNC”/>
but with same result.
I’m starting nodes by
./jb1/bin/standalone.sh --server-config=standalone-ha.xml -Djboss.node.name=node1
./jb2/bin/standalone.sh --server-config=standalone-ha.xml -Djboss.socket.binding.port-offset=100 -Djboss.node.name=node2
both jb1 and jb2 are identical and they know each other (Received new cluster view: [node1/keycloak|1] [node1/keycloak, node2/keycloak])
How do you test clustering of KC please?
Thanks,
Libor Krzyžanek
jboss.org <http://jboss.org/> Development Team
11 years
