User federation from multiple LDAP servers
by Georgijs Radovs
Hello everyone!
Is it possible to set up User Federation from multiple replicating LDAP
servers?
For example:
We have 2 FreeIPA servers, which are replicating between each other.
And, we have 2 Keycloak servers in standalone-ha mode, using S3_PING
session failover.
How to add second FreeIPA server to User Federation?
We've tried to add second LDAP server in User Federation and set lower
priority for it, but when user account sync happens, Keylcoak server
shows, that user account from FreeIPA server 2 is already linked to
FreeIPA server 1.
--
<https://www.youtube.com/watch?v=bs0V2F06liw>
9 years
Passing Data to Registration Fields
by Raghu Laghuvaram
I am trying to use direct registration link and I want to pass some of the
fields from my application, is it possible to pass fields such as First
Name, Last Name and other custom fields if needed?
Thanks,
Deepu
9 years
Session cookie settings overwritten by undertow keycloak adapter
by Goworek Krzysztof INNE
Hello all,
I am developing a web application using Keycloak on JBoss EAP7 (Wildfly 10, Undertow). We have migrated recently from EAP6.4 and now I’ve got several issues to solve.
One of them is session cookie configuration in web.xml which used to work, but now is completely ignored.
After further investigation it looks that keycloak-undertow-adapter module is overwriting existing settings with uninitialized configuration object (). All of this is done in KeycloakServletExtension class (https://github.com/keycloak/keycloak/blob/master/adapters/oidc/undertow/s...), lines 177-179 on master.
Can somebody tell me whether this is a bug or maybe this was done on purpose? Can I in any way reconfigure these settings somehow later?
From the code it does not seem to read any configuration values, it just sets cookie path basing on context path and leaves the rest fields uninitialized. I would expect it sets the path and copies the rest from “servletSessionConfig” field.
Am I missing something?
Krzysztof
9 years
regarding custom attributes and mapping resources to users
by Avinash Kundaliya
Hello Community,
I am fairly new to using keycloak and still getting immersed into the
authentication and authorization jargons. I have some basic queries that
i am curious about.
* Regarding the custom attributes for each user
(https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/us...).
Is this something that a user can edit for themselves or is
something for an administrator to manage custom content for the
user? Basically, as an administrator can I put information that
should be hidden from the user as a custom attribute ?
* My second question is more about architecture of applications with
authentication and authorization. What are the best practices to map
roles to specific resources? For example if i have a role called as
shop_owner how do i map a user with that role to a specific shop
(for example). Is this something that keycloak has defined
structures for ? How can i achieve such a structure with keycloak
and with/without using the keycloak authorization/resource services.
Looking forward to some constructive discussions and some answers to the
basic issues I have.
Regards,
Avinash
9 years
Update passwords with old hash algorithm
by Danny Trunk
Hello everybody,
I've already implemented a custom Password Hash SPI which encodes and
verifies encoded passwords with an old hash algorithm.
Now I would like to update those passwords with a new hash algorithm as
I have access to the raw password in the Password Hash SPI (Keyword:
self-healing process).
Which possibilities do I have?
Best regards
Danny.
9 years
Create access to secured data for user
by adam.michalski@aol.com
Hi.
My name is Adam and I am new to keycloak.
I want to create link/access point where user does'n input his password or send his secret in angular 2 application + rest client secured by keycloak. This access is for specified part of data but temporary not single access.
What possibilities keycloak gives to resolve this feature?
I think about generating token in other application on server and send it to user by email. This way I can use client secret.
How to generate valid token accepted in keycloak without connection with it? But is this good approach? If it is what can I use to create this in best way?
Can send request to keycloak for this kind of token for specified client for user requested?
Adam Michalski
9 years
is resource owner username or userid
by uğur kolip
Hi,
I use keycloak 2.4.0.Final with spring boot adapter, and authz-client
-authz-admin.
When i set owner , i set (getAccessToken().getPreferredUsername()) (my user
name, admin )
But when i try to get resource owner
($evaluation.getPermission().getResource().getOwner()), it returns userid
not username.
is it wrong ? or do you these purposely ?
is username unique ? why does we use username ?
thank you for helping
9 years
Re: [keycloak-user] Are there any clients(retail) are using keycloak as their sso solution in production?
by Aikeaguinea
We have also been having difficulty getting an evaluation version of
RH-SSO without contacting sales. Not only is there not a "Start
Evaluation" link next to Red Hat SSO, but if I log in with a Red Hat
account and try the "Download Latest" option on the pulldown I get a
"You do not have access to the requested software" response.
This is particularly annoying because if you contact Red Hat sales they
then refer you to a reseller, and you still can't get a download before
interacting with the third party. Honestly, based on our interaction so
far it's as if they don't want to sell the product.
On Wed, Dec 21, 2016 at 10:09 AM, Raghu Laghuvaram
<deepu.laghuvaram(a)gmail.com> wrote:
Stian Thorgersen,
Thanks for your response and information.
You said we can evaluate the RH-SSO, but when I go to
https://access.redhat.com/downloads/ I dont see an option as "Start
Evaluation" for Red Hat Single Sign-On, am I looking at wrong place?
On Wed, Dec 21, 2016 at 12:55 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> You can evaluate RH-SSO without contacting sales. It's available at
> http://access.redhat.com/. Sales may be able to give you some customer
> references if you ask them.
>
> FIY RH-SSO 7.0.0.GA is based on Keycloak 1.9.8.Final, while RH-SSO
> 7.1.0.GA will be based on Keycloak 2.5.z.Final.
>
> On 20 December 2016 at 19:16, Raghu Laghuvaram <deepu.laghuvaram(a)gmail.com
> > wrote:
>
>> Josh Cain,
>> Thanks for your response, If possible would you be able to let us
>> know if there any clients(retail) using RH-SSO in production other than
>> Red
>> Hat? And coming to RH-SSO, I dont see an option for evaluating it, I think
>> I need to contact sales even for that. I will talk to my leadership and
>> proceed further.
>>
>> Thanks,
>> Deep.
>>
>> On Tue, Dec 20, 2016 at 9:51 AM, Josh Cain <jcain(a)redhat.com> wrote:
>>
>> > Hi Raghu,
>> >
>> > I can say that Red Hat (access.redhat.com, developers.redhat.com, etc.)
>> > uses RH-SSO (the enterprise bits for Keycloak), and it has done very
>> > well overall as a solution.
>> >
>> > If you're wanting to know more about enterprise level support, I'd
>> > contact sales and strongly consider RH-SSO over Keycloak.
>> >
>> > --
>> > Josh Cain | Software Applications Engineer
>> > Identity and Access Management
>> > Red Hat
>> > +1 256-452-0150
>> >
>> > On Mon, 2016-12-19 at 15:17 -0500, Raghu Laghuvaram wrote:
>> > > We are evaluating Keycloak as SSO solution for our retail application
>> > > and
>> > > we would like to know if there are any clients using Keycloak SSO
>> > > solution
>> > > in their production? It would gie us a lot of confidence if we know
>> > > that
>> > > some one are already using in their production.
>> > >
>> > >
>> > > Thanks,
>> > > Deep
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user(a)lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
http://www.fastmail.com - Does exactly what it says on the tin
9 years
Running into an issue with login.ftl in a custom-made theme
by David Gomes
Good day,
I am writing my own Keycloak theme and I am using the Sunrise
<https://github.com/keycloak/keycloak/tree/master/examples/themes/src/main...>
example theme as a starting point.
It seems, however, that when I create a sunrise/login/login.ftl file, such
as the one in the base theme, this file doesn't actually get used for
rendering the login form.
I tried to edit the base theme instead and edit its login/login.ftl. It
seems that editing this file has no effect at all. I wrote this in the file
and the login page for the base theme remained exactly the same.
<#import "template.ftl" as layout>
<@layout.registrationLayout displayInfo=social.displayInfo; section>
</(a)layout.registrationLayout>
Editing CSS, template.tfl and other things works, but editing the
theme/login/login.ftl has no effect at all.
The relevant settings for my Realm are the following:
"registrationAllowed": true,
"registrationEmailAsUsername": true,
"rememberMe": true,
"requiredCredentials": [ "password" ]
In the Keycloak administration console, editing the current theme works
perfectly fine as well, but I'm not being able to edit the actual login
form in any of the example themes. I tried other files such as register.ftl and
editing this one works perfectly fine.
David Gomes
MemSQL
9 years
Technical Guidance
by Dana Danet
I just recently introduced KC to a Spring Cloud micro-service environment as the IDM and Oauth manager of JWT tokens. Front end clients are implementing the javascript adapter and backend Spring Boot services are implemented with the Spring Security adapter (not boot adapter). Our Service Gateway (Zuul) simply passes the token to backend services.
My question is regarding offloading offloading AuthN and IDP to external systems and then brokering to Keycloak for JWT creation. Which would look something like
( Customer on premise AuthN) —> Ping —> Keycloak. Ping has been introduced purely as an SP to handle customers implementations of Shibboleth and Incommon. Initially I was thinking that IDP - Ping SP mapping is all done via Ping and then a canonical SAML exchange to Keycloak.
Is this possible? I would appreciate some guidance here.
-dana
9 years
