LDAP configuration
by Ayrton Araújo
I'm trying do add a new user federation provider for integrate keycloak
with a ldap server.
The parameters:
Console display name -> Active Directory
Priority -> 0
Edit Mode -> READ_ONLY
Sync Registrations -> OFF
Vendor -> Active Directory
Username LDAP attribute -> sAMAccountName
User Object Classes -> person, organizationPerson, user
Connection URL -> ldap://dom.example.com:389
Base DN -> DC=dom,DC=example,DC=com
User DN Suffix -> CN=Users
Bind DN -> CN=Keycloak.LDAP;CN=Users;DC=dom,DC=example,DC=com
Bind Credential -> ********
Connection pooling -> ON
Pagination -> ON
Enable Account After Password Update -> OFF
Batch Size -> 100
Periodic Full Sync -> OFF
Periodic changed users sync -> ON
Changed users sync period -> 86400
I tried change User DN Suffix to only Users, but it not works. The log
always saying:
LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012
(DIR_ERROR)
And it says this when it tries to parse the User DN Suffix.
Theres something wrong with my conf?
9 years, 4 months
Update user when "Email as username" enabled
by Scott Rossillo
If I’m using email as username, I can update the email address on a user via the admin API, but the username doesn’t update even when explicitly setting a new username. This is true in the KC admin console as well.
How do I update the username to match the new email address?
Thanks,
Scott
9 years, 4 months
IDP SAMLV2.0 with Salesforce
by Henk Laracker
Hi,
I like to use Salesforce as Identity Provider, the metadata provided by salesforce can be imported.
But I need to specify the Service Provider in salesforce, I have to fill in a couple of fields, but two of them I don’t understand (and are mandatory). Does someone have any clue
1. entity id , remark of salesforce : get this value from your serviceprovider
2. ACS URL, remark of slaesforce : The assertion consumer service. Get this value from your service provider.
I have tried a lot of values but every-time I click the saml button on my app, it redirects to salesforce but I get a page with the error : Error: Unable to resolve request into a Service Provider
Henk
9 years, 4 months
keycloak Identity broker for Custom Authentication
by Raghu Prabhala
Hi,
I am wondering if anyone implemented an Identity Broker for custom authentication? If so, would appreciate some input on how to achieve that?
I tried implementing one using the existing OIDC broker as the starting point but the option to select this custom broker doesn't appear in the GUI. So my question is, what changes must be made in the GUI to make the custom broker visible? Appreciate any pointers
Thanks,Raghu
9 years, 4 months
Cancel button handling on keycloak login page
by Roman Usatenko
Hello,
I am trying to implement POC with keycloak as auth* server.
Here is my set up / use case:
- Tomcat server with keycloak adapter
- Web app with a URL *http://x.y/app/secure <http://x.y/app/secure>*
protected by a security constraint.
- An unauthenticated user goes to the URL and gets redirected by the
adapter to the keycloak login page.
- The user clicks Cancel button and gets redirected back to the URL with
parameters ?error=access_denied&state=1%2Fxxxx
- This redirect is intercepted by the adapter and user's browser gets
400 error from the adapter. My application never receives the request.
So my questions are:
1. Is this correct description of what's going on or am I missing something?
2. If this is the behavior by design wouldn't it be better instead of the
400 error to redirect user to some themed page on the keycloak server with
a nice explanation, like "We're sorry, but you cannot access this resource
without authentication, blablabla "
Thank you,
Roman Usatenko.
9 years, 4 months
Cors not working Final 1.2
by Henk Laracker
Hi,
Cors headers missing during login procedure of keycloak
===============================
Step 1 - Prepare keycloak realm:
===============================
Create a simple keycloak realm for testing,
===============================
Step 2 - Create a user
===============================
Add a user and a client to the realm
The client should be configured as follows:
Client Protocol openid-connect
Access Type public
Valid redirect uri's: http://localhost/*
http://localhost
Web origins: http://localhost/*
http://localhost
===============================
Step 3 - Create test application on tomcat
===============================
On a given tomcat server (I'm using localhost for this example) add 2 web applications:
app1 with a simple index.html
cors with a simple test.txt with the content "Some data"
The following url's are now available:
http://localhost/app1/index.html
http://localhost/cors/test.txt
In http://localhost/app1/index.html create javascript which loads data from http://localhost/cors/test.txt
If you go to http://localhost/app1/index.html now, a GET will be performed to http://localhost/cors/test.txt and the data is displayed
===============================
Step 4 - Adding keycloak to the applications
===============================
Add keycloak configuration on "app1".
Add keycloak configuration on "cors"
Additionally, add
"enable-cors": "true"
to the json file.
===============================
Step 5 - Log in to app1
===============================
If you log in to app1 in a new browser the data from app "cors" will not be loaded. The following error will be displayed in the console of your browser (using chrome)
XMLHttpRequest cannot load http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/auth?....
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.
If it loaded the data, make sure that you're logged out, or try it in private browsing mode.
===============================
Expected result
===============================
We expected "Access-Control-Allow-Origin" to be set to the "Web origins", allowing for cross-application requests without editing existing applications.
Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / Très cordialement,
Henk Laracker
9 years, 4 months
Re: [keycloak-user] Some Help to Write a Federation Provider
by pubudu gunawardena
Thanks Bill for your help.
> Date: Thu, 28 May 2015 08:51:41 -0400
> From: Bill Burke <bburke(a)redhat.com>
> Subject: Re: [keycloak-user] Some Help to Write a Federation Provider
> To: keycloak-user(a)lists.jboss.org
> Message-ID: <55670F5D.4010103(a)redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
>
>
> On 5/28/2015 7:30 AM, pubudu gunawardena wrote:
>> Hi All,
>>
>> I am writing a federation provider which performs authentication
>> against an RDBMS.
>> I am using keycloak 1.2.0.Final. I have looked at the sample
>> properties provider and would like to know a few things.
>>
>> In UserFederationProviderFactory
>> 1. UserFederationProviderFactory#create returns null in the example.
>> Do we not need to implement that?
>
> No. This method is not called.
>
>> 2. When is the UserFederationProviderFactory#close method called? Is
>> it when the server is shut down?
>
> Yes.
>
>> 3. When is the init method called? Is it called once per object instance?
>
> It Factory.init() is only called once when the server boots. The config
> is pulled in from keycloak_server.json
>
>> 4. Is it only one instance of a given type
>> UserFederationProviderFactory that is created for the system?
>>
>
> Only one Factory instance is created for the server.
>
>> UserFederationProvider
>> 5. The javadoc for UserFederationProvider#getUserByUsername says
>> "Required to import into local storage any user found." does it mean
>> that I have to call keyCloakSession.userStorage().addUser(realm,
>> userName)? Do I have to do that even if the user has been already
>> previously imported into the system? Do I have to synchronize the user
>> data in that method?
>
> You do not have to test to see if the username exists in local storage.
> Keycloak will do that before calling this method.
>
>> 6. Same as question 5 for methods getUserByEmail and searchByAttributes.
>
> getUserEmail does not require that you check to see if the user exists
> in local storage. searchByAttribute, unfortunately does. The way you
> should implement is:
>
> 1. do your query
> 2. Loop on results
> 3. if result is not in local storage, import to local storage
> 4. add result to returned List<UserModel>
>
>> 7. When should I return false from method "isValid". What does
>> returning false from that method prevent? Is it importing/prevent user
>> from logging in/not show user in user list?
>
> Keycloak may call this method to determine if a user is still exists or
> is still enabled in federated storage.
>
>> 8. In validCredentials(RealmModel realm, UserCredentialModel
>> credential) the javadoc says "Validate credentials of unknown user.".
>> When should I implement that method? How can an unknown user be
>> validated?
>
> This method is really only used for kerberos authentication against an
> LDAP database.
>
>> 9. When is the UserFederationProvider# close method called?
>>
>
> UserFederationProviders are created and closed once per request.
>
>> Any help is highly appreciated. If possible please mention how those
>> questions will relate to an RDBMS backed provider implementation.
>>
>
> Thanks, I'll add all this to the javadoc.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
--
Thanks,
Pubudu
9 years, 4 months
Some Help to Write a Federation Provider
by pubudu gunawardena
Hi All,
I am writing a federation provider which performs authentication
against an RDBMS.
I am using keycloak 1.2.0.Final. I have looked at the sample
properties provider and would like to know a few things.
In UserFederationProviderFactory
1. UserFederationProviderFactory#create returns null in the example.
Do we not need to implement that?
2. When is the UserFederationProviderFactory#close method called? Is
it when the server is shut down?
3. When is the init method called? Is it called once per object instance?
4. Is it only one instance of a given type
UserFederationProviderFactory that is created for the system?
UserFederationProvider
5. The javadoc for UserFederationProvider#getUserByUsername says
"Required to import into local storage any user found." does it mean
that I have to call keyCloakSession.userStorage().addUser(realm,
userName)? Do I have to do that even if the user has been already
previously imported into the system? Do I have to synchronize the user
data in that method?
6. Same as question 5 for methods getUserByEmail and searchByAttributes.
7. When should I return false from method "isValid". What does
returning false from that method prevent? Is it importing/prevent user
from logging in/not show user in user list?
8. In validCredentials(RealmModel realm, UserCredentialModel
credential) the javadoc says "Validate credentials of unknown user.".
When should I implement that method? How can an unknown user be
validated?
9. When is the UserFederationProvider# close method called?
Any help is highly appreciated. If possible please mention how those
questions will relate to an RDBMS backed provider implementation.
--
Thanks,
Pubudu
9 years, 4 months