AD ObjectGUID User Federation Mappers
by Kenyatta Clark
I am trying to create a user federation mapper to map the object from Active Directory to an attribute in the JWT. I have successfully mapped other Active Directory attributes but I am unable to the ObjectGUID to map at all. I remembered that the ObjectGUID needs to be converted from a byte array to a string. Does Keycloak take care of that conversion? What is the best way to map the ObjectGUID?
9 years, 5 months
Re: LDAP with Kerberos, login with different user
by Michael Gerber
Isn't it possible to create a cookie or add an url parameter after the logout, so the user is not logged in automatically?
It's crucial for us to be able to log in as a different user, otherwise we can not use kerberos at all :(
Michael
Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda(a)redhat.com>:
I don't think it's doable. Kerberos is kind of desktop login and logout from the web application won't destroy the kerberos ticket - similarly like it can't logout your laptop/desktop session. So when you visit the secured application next time, you are automatically logged into Keycloak through SPNEGO due to the Kerberos ticket.
Hence you need to remove kerberos ticket manually (For example "kdestroy" works on Linux, but I guess you're using Windows + ActiveDirectory? ) and then you will be able to see keycloak login screen and login as different user.
Marek
On 22.7.2015 15:38, Michael Gerber wrote:
Hi all,
I use LDAP with Kerberos and would like to logout and login again with a different user (no kerberos login, just keycloak username and password dialog).
Is that possible?
cheers
Michael
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9 years, 5 months
Deploy Keycloak from within IntelliJ IDEA
by Rodrigo Sasaki
Hello everyone,
I haven't used Keycloak since version 1.0.2, which we have now in
production. But now Keycloak has so many new features that we decided to
migrate to the 1.3.1.Final
This is a very specific issue, maybe this has already been discussed
before, and if it has I'd like to ask you to direct me to that thread.
Anyways, I want to deploy Keycloak from within IntelliJ IDEA, on version
1.0.2 all I had to do was add an artifact of keycloak-server on the
deployment and it was done, but that no longer exists and I don't seem to
find a replacement for it.
What I do now is add a step to execute a maven goal to package the war and
I created an artifact based on that war to deploy it, it works fine but I
believe there must be a simpler solution, and doing it like this I can't
use JRebel to hot deploy my alterations as well.
Is there a way to do what I'm trying to do? I'll be happy to provide you
more information if necessary.
Cheers,
Rodrigo Sasaki
9 years, 5 months
Is it possible to complete a login process with program ?
by Mai Zi
Hi, there,
I am new in this domain so pls help me even my question looks too naive.
What I want to do is as below:
1) Add a user with RESTful API . 2) get the token with direct access grant .
All above will happen with program.
We can add a user , but can not get the token . It seems the user can not login in .
We missed something ?
Is there any example code ?
Thanks in advance.
Mai
9 years, 5 months
Re: Re: LDAP with Kerberos, login with different user
by Michael Gerber
Ok, so that won't solve my problem.
I guess there is no other way than a cookie or a parameter to bypass kerberos.
Am 23. Juli 2015 um 14:20 schrieb Stian Thorgersen <stian(a)redhat.com>:
----- Original Message -----
From: "Michael Gerber" <gerbermichi(a)me.com>
To: "Marek Posolda" <mposolda(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Thursday, 23 July, 2015 2:12:13 PM
Subject: [keycloak-user] Re: LDAP with Kerberos, login with different user
TBH I have not checked out 1.4 yet. But I will have a look at it as soon as
it's out.
It would solve my problem, i f 1.4 offers a way to create impersonated users
and login with username and password even if kerberos is enabled.
1.4 offers a way for an admin to impersonate another user without specifying the users password - this doesn't provide a mechanism to login with username/password
Am 23. Juli 2015 um 13:33 schrieb Marek Posolda <mposolda(a)redhat.com>:
Ah, Ok. So it's about admin users. Also note that in latest 1.4 version we
will have new "impersonation" feature, which allows admin to temporarily
login on behalf of any other user. Isn't this even better for your usecase?
Marek
On 23.7.2015 08:41, Michael Gerber wrote:
Hi, yes something like that would be great.
Because our application admins are no tech guys, so it would be nice to offer
an easy solution to them ;)
Am 23. Juli 2015 um 08:35 schrieb Marek Posolda <mposolda(a)redhat.com> :
Maybe we can have special request parameter, which will be send from
application to login screen. The parameter will contain list of
authentication mechanisms, which you want to skip for this login. Something
like "skipAuthType=cookie,kerberos" . The list of skipped alternative
mechanisms will be saved in ClientSession, so authentication SPI can deal
with it.
Not sure if it makes sense to add support into adapter, but maybe something
basic (like we have for parameters "login_hint" or "kc_idp_hint" in
keycloak.js) can be added as well?
Marek
On 23.7.2015 08:26, Marek Posolda wrote:
Do you want that for normal users or just for admin users? Just trying to
understand the usecase. Because AFAIK the point of kerberos is, that you
login into the desktop and then you're automatically logged into integrated
web applications without need to deal with any login screens and
username/password. When user has just one keycloak account corresponding to
his kerberos ticket, then why he need to login as different user?
I can understand the usecase for admin, when you want to login as different
user for testing purpose etc. For this, isn't it possible in windows to do
something like "kdestroy" to be able to login without kerberos?
Marek
On 23.7.2015 07:44, Michael Gerber wrote:
Isn't it possible to create a cookie or add an url parameter after the
logout, so the user is not logged in automatically?
It's crucial for us to be able to log in as a different user, otherwise we
can not use kerberos at all :(
Michael
Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda(a)redhat.com> :
I don't think it's doable. Kerberos is kind of desktop login and logout from
the web application won't destroy the kerberos ticket - similarly like it
can't logout your laptop/desktop session. So when you visit the secured
application next time, you are automatically logged into Keycloak through
SPNEGO due to the Kerberos ticket.
Hence you need to remove kerberos ticket manually (For example "kdestroy"
works on Linux, but I guess you're using Windows + ActiveDirectory? ) and
then you will be able to see keycloak login screen and login as different
user.
Marek
On 22.7.2015 15:38, Michael Gerber wrote:
Hi all,
I use LDAP with Kerberos and would like to logout and login again with a
different user (no kerberos login, just keycloak username and password
dialog).
Is that possible?
cheers
Michael
_______________________________________________
keycloak-user mailing list keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9 years, 5 months
Re: LDAP with Kerberos, login with different user
by Michael Gerber
TBH I have not checked out 1.4 yet. But I will have a look at it as soon as it's out.
It would solve my problem, if 1.4 offers a way to create impersonated users and login with username and password even if kerberos is enabled.
Am 23. Juli 2015 um 13:33 schrieb Marek Posolda <mposolda(a)redhat.com>:
Ah, Ok. So it's about admin users. Also note that in latest 1.4 version we will have new "impersonation" feature, which allows admin to temporarily login on behalf of any other user. Isn't this even better for your usecase?
Marek
On 23.7.2015 08:41, Michael Gerber wrote:
Hi, yes something like that would be great.
Because our application admins are no tech guys, so it would be nice to offer an easy solution to them ;)
Am 23. Juli 2015 um 08:35 schrieb Marek Posolda <mposolda(a)redhat.com>:
Maybe we can have special request parameter, which will be send from application to login screen. The parameter will contain list of authentication mechanisms, which you want to skip for this login. Something like "skipAuthType=cookie,kerberos" . The list of skipped alternative mechanisms will be saved in ClientSession, so authentication SPI can deal with it.
Not sure if it makes sense to add support into adapter, but maybe something basic (like we have for parameters "login_hint" or "kc_idp_hint" in keycloak.js) can be added as well?
Marek
On 23.7.2015 08:26, Marek Posolda wrote:
Do you want that for normal users or just for admin users? Just trying to understand the usecase. Because AFAIK the point of kerberos is, that you login into the desktop and then you're automatically logged into integrated web applications without need to deal with any login screens and username/password. When user has just one keycloak account corresponding to his kerberos ticket, then why he need to login as different user?
I can understand the usecase for admin, when you want to login as different user for testing purpose etc. For this, isn't it possible in windows to do something like "kdestroy" to be able to login without kerberos?
Marek
On 23.7.2015 07:44, Michael Gerber wrote:
Isn't it possible to create a cookie or add an url parameter after the logout, so the user is not logged in automatically?
It's crucial for us to be able to log in as a different user, otherwise we can not use kerberos at all :(
Michael
Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda(a)redhat.com>:
I don't think it's doable. Kerberos is kind of desktop login and logout from the web application won't destroy the kerberos ticket - similarly like it can't logout your laptop/desktop session. So when you visit the secured application next time, you are automatically logged into Keycloak through SPNEGO due to the Kerberos ticket.
Hence you need to remove kerberos ticket manually (For example "kdestroy" works on Linux, but I guess you're using Windows + ActiveDirectory? ) and then you will be able to see keycloak login screen and login as different user.
Marek
On 22.7.2015 15:38, Michael Gerber wrote:
Hi all,
I use LDAP with Kerberos and would like to logout and login again with a different user (no kerberos login, just keycloak username and password dialog).
Is that possible?
cheers
Michael
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9 years, 5 months
Re: [keycloak-user] LDAP with Kerberos, login with different user
by Marek Posolda
Ah, Ok. So it's about admin users. Also note that in latest 1.4 version
we will have new "impersonation" feature, which allows admin to
temporarily login on behalf of any other user. Isn't this even better
for your usecase?
Marek
On 23.7.2015 08:41, Michael Gerber wrote:
> Hi, yes something like that would be great.
> Because our application admins are no tech guys, so it would be nice
> to offer an easy solution to them ;)
>
> Am 23. Juli 2015 um 08:35 schrieb Marek Posolda <mposolda(a)redhat.com>:
>
>> Maybe we can have special request parameter, which will be send from
>> application to login screen. The parameter will contain list of
>> authentication mechanisms, which you want to skip for this login.
>> Something like "skipAuthType=cookie,kerberos" . The list of skipped
>> alternative mechanisms will be saved in ClientSession, so
>> authentication SPI can deal with it.
>>
>> Not sure if it makes sense to add support into adapter, but maybe
>> something basic (like we have for parameters "login_hint" or
>> "kc_idp_hint" in keycloak.js) can be added as well?
>>
>> Marek
>>
>> On 23.7.2015 08:26, Marek Posolda wrote:
>>> Do you want that for normal users or just for admin users? Just
>>> trying to understand the usecase. Because AFAIK the point of
>>> kerberos is, that you login into the desktop and then you're
>>> automatically logged into integrated web applications without need
>>> to deal with any login screens and username/password. When user has
>>> just one keycloak account corresponding to his kerberos ticket, then
>>> why he need to login as different user?
>>>
>>> I can understand the usecase for admin, when you want to login as
>>> different user for testing purpose etc. For this, isn't it possible
>>> in windows to do something like "kdestroy" to be able to login
>>> without kerberos?
>>>
>>> Marek
>>>
>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>> Isn't it possible to create a cookie or add an url parameter after
>>>> the logout, so the user is not logged in automatically?
>>>>
>>>> It's crucial for us to be able to log in as a different user,
>>>> otherwise we can not use kerberos at all :(
>>>>
>>>> Michael
>>>>
>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda(a)redhat.com>:
>>>>
>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>> logout from the web application won't destroy the kerberos ticket
>>>>> - similarly like it can't logout your laptop/desktop session. So
>>>>> when you visit the secured application next time, you are
>>>>> automatically logged into Keycloak through SPNEGO due to the
>>>>> Kerberos ticket.
>>>>>
>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>> screen and login as different user.
>>>>>
>>>>> Marek
>>>>>
>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>> with a different user (no kerberos login, just keycloak username
>>>>>> and password dialog).
>>>>>> Is that possible?
>>>>>>
>>>>>> cheers
>>>>>> Michael
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>
>>
9 years, 5 months
LDAP with Kerberos, login with different user
by Michael Gerber
Hi all,
I use LDAP with Kerberos and would like to logout and login again with a different user (no kerberos login, just keycloak username and password dialog).
Is that possible?
cheers
Michael
9 years, 5 months
problems getting started with tomcat
by Tim Dudgeon
Hi all,
I'm trying to get starting with keycloak, but struggling with getting
started with tomcat.
I think I've followed the instructions described here:
http://keycloak.github.io/docs/userguide/html/ch08.html#tomcat-adapter
I'm using clean tomcat 7.0.57 distro and have copied the jars from
keycloak-tomcat7-adapter-dist-1.3.1.Final.tar.gz download to the lib folder.
But nothing I can so can trigger an authentication redirect.
I've attached a very simple war file that illustrates this and contains:
43 07-22-15 17:38 index.html
0 07-22-15 17:40 META-INF/
159 07-22-15 17:40 META-INF/context.xml
0 07-22-15 17:43 WEB-INF/
632 07-22-15 17:38 WEB-INF/keycloak.json
1207 07-22-15 17:43 WEB-INF/web.xml
Can someone help spot what is wrong?
Sorry for the basic nature of this, but, as always, the hardest part of
flying is getting of the ground.
Tim
9 years, 5 months
