active directory | change password after first login and account expiration
by lists
Hi,
We have connected keycloak to our active directory (samba4-based) and
selected the "MSAD account controls" under mappings.
I thought this would give us access to dialogues like "Your password is
about to expire in X days. Would you like to change it now?" or "You
need to change your password after your first logon", etc.
This does not seem to happen here. Is there anything else we need to do
to get this functionality?
MJ
7 years, 4 months
Weird Behavior When Importing from UI
by Roger Turnau (US - Advisory)
Hi,
I just noticed some weird behavior when attempting to import from the UI. I
exported my current H2 database using the following command:
standalone.bat -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=c:\opt\keycloak\keycloak-data.json
There are two realms in the resulting file -- master and one I have created.
>From the command line, I can import and export just fine. When I try to
import the second realm from the Keycloak UI, however, I can't see that
realm in the upper left side drop-down. I confirmed in the database that
the realm was imported, but there doesn't appear to be any way to navigate
to it.
Is this a known issue? I wasn't able to find anything in JIRA.
Thanks,
--
*Roger Turnau*
PwC | Manager - Advisory Financial Services
______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.
7 years, 4 months
Keycloak - Managing multiple values from a single attribute from FreeIPA.
by Georgijs Radovs
Hello everyone!
Is it possible to display multiple values from "ipaSshPubKey" attribute
from FreeIPA in Keycloak user account portal?
For example:
User account in FreeIPA has 3 SSH public keys stored as values in
"ipaSshPubKey" attribute.
Is it possible to fetch these 3 SSH public keys and display them in user
account portal?
The main goal I want to achieve, is for users, who have multiple SSH
public keys in FreeIPA user accounts, to be able to manage them from
Keycloak user portal.
--
<https://www.youtube.com/watch?v=bs0V2F06liw>
7 years, 4 months
synchronize Users in old database with keycloak Database
by Celso Agra
Hi all,
My question is about, how Can I synchronize my old database that contains
users from another system with keycloak (kc).
I'm trying to migrate my authentication software (legacy) to keycloak, but
I'd like to keep the old users syncronized with the kc database.
If I use Service Provider Interfaces (spi), I'll keep all users updated
from keycloak info. But What about the reverse path? Is there a way to
update keycloak with users from another database?
Thank you.
Best regards,
Celso Agra
7 years, 4 months
Custom entity mapping to User entity
by Eriksson Fabian
Hello!
We are currently looking for an authentication/authorization/access management provider to use for our applications and we happily stumbled upon Keycloak. As of this moment we are looking into if Keycloak fits all of our requirements and if it doesn't how we can modify it to fit our needs.
So; we need to add our own entities to Keycloak (which we've seen is possible) but we also have to map some of these entities to the already existing User entity and in the end, have it included inside the ID token.
If this is possible, could you maybe give us a short description of how to do this, that would be much appreciated
Best Regards
Fabian Eriksson
7 years, 4 months
Keycloak 2.4 SSSD Provider setup for FreeIPA
by Scott Poore
Hi,
I am trying to setup Keycloak version 2.4.0 with FreeIPA integration using the SSSD Provider. I am following the Server Administration Guide but, I'm hitting some error. I'm not sure if it's a bug or a configuration issue on my part.
This is the link I was following:
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/top...
The difference in setup though is that I'm not using the docker image. Instead I'm using a separate FreeIPA Master server that I have setup as a separate VM. I have confirmed that SSSD-DBUS is working:
[root@idp ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:testuser
method return time=1480625438.634684 sender=:1.26 -> destination=:1.29 serial=17 reply_serial=2
array [
string "ipausers"
]
For the SP, I setup a basic Apache setup with mod_auth_mellon using
keycloak-httpd-client-install \
--client-originate-method registration \
--keycloak-server-url https://idp.keycloak.test:8443 \
--keycloak-admin-username admin \
--keycloak-admin-password PASSWORD \
--app-name testapp \
--keycloak-realm test_realm \
--mellon-root mroot \
--mellon-protected-locations "/mroot/private" \
--force
When I try to login to the SP, it redirects as expected to the Keycloak server and waits for a while before returning:
Internal Server Error
>From the httpd access log I can see:
192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
>From the admin console, I can see what appears to be an active session for the client.
>From the Keycloak server.log I can see:
2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012108: CheckedAction::check - atomic action 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active!
2016-12-01 14:14:31,578 WARN [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCo
mpletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4]
2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f
fffc0a87abf:7c36d3eb:58406454:81e
2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25) ARJUNA012077: Abort called on already aborted atomic action 0:ffffc0a87abf:7c36d3eb:58406454:81e
2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-25) RESTEASY002025: Unknown exception while executing POST /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc
eption: javax.transaction.RollbackException: ARJUNA016102: The transaction is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
Leaving out the traceback for brevity. I can send that if needed/wanted.
When I logout the session and set SSSD debug_level to 9 and restart sssd, keycloak, and httpd (on the SP), I do see SSSD looking up the user. I can provide the SSSD logs if it helps.
So, how do I go about troubleshooting this issue? Are there any steps missing from the SSSD Provider doc?
Thanks,
Scott
--
Scott Poore <spoore(a)redhat.com>
Principal Quality Assurance Engineer
Red Hat, Inc.
7 years, 4 months
Limit amount of active sessions
by Matuszak, Eduard
Hello
Is it possible to limit the amount of active sessions a user can have? It would be appropriate for some of our use cases to restrict the maximum amount of sessions to 1 where in case of a repeated direct access login the token of the (still) active session should be returned or alternatively additional logins should be rejected if an active token is on-hand.
Best regards, Eduard Matuszak
7 years, 4 months
Keycloak impersonate
by GRMAN, Tomas
Hi Marek, is it possible to disable (or completely remove) Keycloak impersonate function?
I understand, that it is a nice feature for troubleshooting, but in our case (for one security sensitive app) it represents a big issue, cause admin can access sensitive data as impersonated user.
I found that it is possible to manage that using dedicated role (impersonation), but in our case it is not sufficient. (it could be added directly in database I guess).
Thanks for any advice.
Tomas
7 years, 4 months