Realm persistance
by Martin Min
Hello,
I set up a KeyCloak server and created a realm and an application on a
computer, which I can access through localhost:8080/auth.
If I use this same KeyCloak server (copy the whole keycloak directory to
another computer), can I get the same realm and application up without any
additional configuration?
Thank you.
8 years, 11 months
Cannot create user in LDAP/AD from Keycloak using Full Name User Federation Mapper - CN is empty
by Edgar Vonk - Info.nl
Hi,
I would like to use the Full Name User Federation Mapper to set the CN attribute in Active Directory from Keycloak. If I am not mistaken this is currently not possible in Keycloak because on creation of the user the only thing that is available is the username and no other user attributes (see UserFederationManager#addUser(RealmModel realm, String username).
Since the CN is mandatory it needs to be set during creation of the user object in AD (and in any LDAP server). With our current configuration with the Full Name mapper enabled and configured to map to the CN attribute we cannot create users from Keycloak since the full name (as well as the first and last name) and hence the CN are still empty on user creation:
10:03:56,246 ERROR [org.keycloak.services.resources.ModelExceptionMapper] (default task-5) Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl]: org.keycloak.models.ModelException: Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl]
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:425)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:75)
at org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:50)
at org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:154)
at org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:56)
at org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:48)
at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:190)
If I am not mistaken the way Keycloak creates users is by first creating an ‘empty’ user with only the username set and after that the user is updated with all user attributes like firstname, last name, email etc.
The only workaround we can find is to add an attribute mapper that maps the Keycloak username field to the CN LDAP/AD attribute. This works ok but it different from how AD treats the CN which is as the full name and not the user name.
Shall I create a JIRA issue for this?
cheers
8 years, 11 months
mongodb 3.0 scram-sha security
by Dean Peterson
Does keycloak v1.3.1 support mongodb 3.0 and it's new default scram-sha
security? If not, do later versions support it?
8 years, 11 months
Accessing Google OAuth tokens when using Keycloak
by Reed Lewis
First: Thanks for a great well designed solution. Keycloak looks like is going to do exactly what we need.
I do have a question though. If we use Google as an identity provider, is there a way to “piggyback” on that authentication to be able to retrieve a token for accessing google drive contents for example without having the user to have to log in again?
Here is my workflow:
1. User goes to our webserver.
2. User is presented a login page from Keycloak
3. User clicks Google
4. User logs into Google
5. User is redirected back to Keycloak’s webpage
6. User is redirected back to our webserver.
Now what we also want to do is use the workflow documented here: https://developers.google.com/identity/protocols/OAuth2WebServer?hl=en to get a token for google drive access.
Is this possible? Or am I doing something wrong? Or am I going about this the wrong way? We need to authenticate the user in our Keycloak, but we also want to let the user’s application directly access the user’s Google Drive data.
Thank you.
Reed Lewis
8 years, 11 months
Logout problems
by Charles Queiroz
Hi Folks!
I have a little problem with logout on keycloak (version: 1.8.0.RC3). I have a Java EE 7 application + AngularJS, and a REST API. When I put the URL of logout like:
<a href="https://ssoserver.dazen.com.br:8443/auth/realms/dazen/protocol/openid-con..."><span translate>ADMIN.TOOLBAR.LOGOUT</span></a>
In a <a> html tag, the session is logout on Keycloak, but the JSSESSIONID in cookies storage is not clean.
See:
In the keycloak server, the session is destroyed, but in browser not.
How can make this logout correctly ?
Atenciosamente,
Charles Queiroz
Dazen™ IT Services
Technology - Software Development
charles(a)dazen.com.br <mailto:charles@dazen.com.br>
Fortaleza - CE
Phone: +55 85 9933 1585
Twitter: @CharlesQueiiroz
8 years, 11 months
About "HTTP-POST Binding for AuthnReques" option
by Mai Zi
In Identity Provider Setting page, there is the option "HTTP-POST Binding for AuthnReques" .When Switch this option, in the export xml , the value of Binding for SingleLogoutService and AssertionConsumerServicewill be changed between HTTP-Redirect and HTTP-POST like this:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" ......> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="" index="1" isDefault="true" />
I don't understand this because I think this binding method should be controlled by the "HTTP-POST Binding Response" . what do I misunderstand ?
8 years, 11 months
Problem using SAML IdP
by Jérôme Blanchard
Hi,
I'm trying to integrate keycloak into a the french research federation of
identity (renater) and I'm facing some problems.
Actually, when IdP respond to keycloak i'm getting the following error :
PL00084: Writer: Unsupported Attribute
Value:org.keycloak.dom.saml.v2.assertion.NameIDType
It seems that this IdP is using transient NameID policy only and using the
unspecified field in the idp config in keycloak generate this exception as
a return.
Log of the keycloak server is joined.
I have no idea of what happening because when I was using the test
federation, everything was working but no I'm in the production federation,
login fails.
The renater federation is using Shibolleth and keycloak is not supported by
federation moderators so I'm alone in the dark now...
Renater provides an IdP list that I have to parse and synchronized with IdP
in keycloak. As a return I provide a list of all endpoints for each
keycloak registered IdP to allow federation IdP to answear correctly to the
right endpoint. All of this is done by a small web app deployed aside
keycloak and using REST API to synchronize all the IdP.
One of the IdP entity descriptor is joined. As you can see, only transient
nameid policy is supported and if I configure keycloak to use email or
persistent, I received a response saying that the nameid is not supported :
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="
https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa..."
Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO"
ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://demo-auth.ortolang.fr/auth/realms/ortolang</saml:Issuer><samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="
https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa..."
ID="_9d03761957aade819b6823c35bbab278"
InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"><saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://janus.cnrs.fr/idp</saml2:Issuer><saml2p:Status><saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required
NameID format not
supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response>
Any help would be gracefully appreciated.
Thanks a lot, Jérôme.
8 years, 11 months
'attr' attribute in rest api
by Jeremy Simon
I'm trying to figure out what I should even think of putting for
{attr}... the api docs don't describe it.
Get a keystore file for the client, containing private key and public
certificate
POST /admin/realms/{realm}/clients/{id}/certificates/{attr}/download
8 years, 11 months
Realms using certificate files, not autogenerated keys
by Jeremy Simon
Hi,
I'd like my realm(s) to pull from a keystore file instead of the
autogenerated keys in the UI, but I'm not quite sure how to pull it
off.
In 8.1 (General Adaptor Config), you can set a client-keystore but it
doesn't seem like what I'm looking for...nor is it clear if you just
name it whatever you please or if this goes in keycloak-server.json
("Each adapter supported by Keycloak can be configured by a simple
JSON text file"... not descriptive enough). But like I said, this
doesn't seem like the right place / scenario.
Any direction would be greatly appreciated!
jeremy
jeremy(a)jeremysimon.com
www.JeremySimon.com
8 years, 11 months
