Error enabling 'Sync Registrations' for LDAP (FreeIPA) User Federation
by Rafael Soares
'm testing Keycloak LDAP User Federation with FreeIPA iDM Server.
I'm using the same environment used by @mposolda [1] with the @adelton's
FreeIPA Docker container image [2].
The integration (KC and FreeIPA) worked fine except for the sync for new
users created on KC side (new registrations). When I enable the 'Sync
Registrations' on the 'freeipa-ldap' User Federation and then try to add a
new user using the KC Web Console I get the following error:
KC server.log in TRACE mode:
"
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: master
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
token active - active: true, issued-at: 1,465,684,397, not-before: 0
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
returning new cache adapter
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by name cache hit: security-admin-console
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
authenticated admin access for: admin
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) No
origin returning
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: freeipa-realm
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getUserByUsername: kc_user1
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
query null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
model from delegate null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search: (&(uid=kc_user1)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,575 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search:
(&(mail=kc_user1(a)example.test)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,577 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getRealmRoles cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClients cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: broker
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: realm-management
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: liferay-saml-idp
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: kitchensink
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: admin-cli
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: account
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,580 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,581 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) Creating entry
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) objectclass = person
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) givenname =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) sn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) cn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) ]
2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5)
UT005023: Exception handling request to /auth/admin/realms/freeipa/users:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.models.ModelException: Error creating subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.models.ModelException: Error creating subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:442)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:92)
at
org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:71)
at
org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:171)
at
org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:72)
at
org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:64)
at
org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:213)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error
code 65 - attribute "uid" not allowed
]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
... 57 more"
FreeIPA Server ldap srv log:
""
tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors
[11/Jun/2016:22:33:37 +0000] - Entry
"uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute "uid"
not allowed
""
----
It appears FreeIPA LDAP server is refusing the attribute 'UID'
Interesting is that the FreeIPA 'user_add' API operation states the 'uid'
attributes is required:
I tried to add a new user manually using the FreeIPA CLI and it worked
fine. See the FreeIPA CLI output:
"
[root@ipa /]# ipa help user-add
Usage: ipa [global-options] user-add LOGIN [options]
Add a new user.
Options:
-h, --help show this help message and exit
--first=STR First name
--last=STR Last name
--cn=STR Full name
--displayname=STR Display name
--initials=STR Initials
--homedir=STR Home directory
--gecos=STR GECOS
--shell=STR Login shell
--principal=STR Kerberos principal
--principal-expiration=DATETIME
Kerberos principal expiration
--email=STR Email address
--password Prompt to set the user password
--random Generate a random user password
--uid=INT User ID Number (system will assign one if not
provided)
--gidnumber=INT Group ID Number
--street=STR Street address
--city=STR City
--state=STR State/Province
--postalcode=STR ZIP
--phone=STR Telephone Number
--mobile=STR Mobile Telephone Number
--pager=STR Pager Number
--fax=STR Fax Number
--orgunit=STR Org. Unit
--title=STR Job Title
--manager=STR Manager
--carlicense=STR Car License
--sshpubkey=STR SSH public key
--user-auth-type=['password', 'radius', 'otp']
Types of supported user authentication
--class=STR User category (semantics placed on this attribute
are
for local interpretation)
--radius=STR RADIUS proxy configuration
--radius-username=STR
RADIUS proxy username
--departmentnumber=STR
Department Number
--employeenumber=STR Employee Number
--employeetype=STR Employee Type
--preferredlanguage=STR
Preferred Language
--certificate=BYTES Base-64 encoded server certificate
--setattr=STR Set an attribute to a name/value pair. Format is
attr=value. For multi-valued attributes, the command
replaces the values already present.
--addattr=STR Add an attribute/value pair. Format is attr=value.
The
attribute must be part of the schema.
--noprivate Don't create user private group
--all Retrieve and print all attributes from the server.
Affects command output.
--raw Print entries as stored on the server. Only affects
output format.
[root@ipa /]# ipa user-add ipa_user3 --first 'IPA
3' --last 'User3' --email 'ipa_user3(a)example.test' --all --raw
----------------------
Added user "ipa_user3"
----------------------
dn:
uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
uid: ipa_user3
givenname: IPA 3
sn: User3
cn: IPA 3 User3
initials: IU
homedirectory: /home/ipa_user3
gecos: IPA 3 User3
loginshell: /bin/sh
mail: ipa_user3(a)example.test
uidnumber: 753200006
gidnumber: 753200006
has_password: FALSE
has_keytab: FALSE
displayName: IPA 3 User3
ipaUniqueID: 65f3f702-3021-11e6-b62c-0242ac110001
krbPrincipalName: ipa_user3(a)EXAMPLE.TEST
memberof:
cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
mepManagedEntry:
cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
objectClass: ipaSshGroupOfPubKeys
objectClass: ipaobject
objectClass: mepOriginEntry
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
"
Can someone help me find what is wrong on KC side? Maybe the KC mappers
mechanism?
Thanks in advance.
[1] https://github.com/mposolda/keycloak-freeipa-docker
[2] https://hub.docker.com/r/adelton/freeipa-server/
--
___
Rafael T. C. Soares
6 years, 9 months
Google Login Email Verification Error on Sending
by Harits Elfahmi
Hello all,
We tried to integrate keycloak with google login, and to reauthenticate we
send email verification to the user email. But when we tried the google
login process: login --> add existing user --> email failed to send with
the following error:
http://pastebin.com/eqytRtFp
Anyone know why this happens? Tried to find similar problems on google but
can't find any.
We use sendpulse.com as the SMTP server (with SSL), and in the login
setting we use enable request SSL for all requests, if that matters.
Thanks!
--
Cheers,
*Harits* Elfahmi
6 years, 9 months
When using Social Identity Provider, it failed with failure "Connection timed out"
by LI Ming
Hi,
When I setup social identity provider (GitHub) to authenticate the user, it always failed with the below error:
2016-06-07 00:49:05,349 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9) Failed to make identity provider oauth callback: java.net.ConnectException: Connection timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...
2016-06-07 00:49:05,355 WARN [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=135.252.159.35, error=identity_provider_login_failure
Can you help to identity the failure reason?
Thanks,
Ming Li
6 years, 9 months
Does Keycloak have any provision for defining role based user associations ?
by Andrew Voumard
Hi,
Suppose I have the following user / role model:
1. A user can have a role of: regular, admin, or super
2. There must be 1 super, and there can be 0..n admin and 0..m regular users
3. A regular user is associated with 1 admin user
For this usage model, would there be any way in Keycloak, that I could arbitrarily associate a regular user with an admin user, and then perform REST queries such as "find all regular users for a given admin user", and "find the admin user for a given regular user"?
Thanks
6 years, 9 months
Multi-org salesforce with single realm keycloak
by Jesse Chahal
Hi,
I'm back again. I'm trying to figure out how scale Identity Providers.
We are planning on trying to integrate our App1 with salesforce. A
user who logs into salesforce should be able to have a native feel of
our App1 within it. Todo this we'll probably have to end up building
salesforce native apps. For every salesforce organization/licensee we
will have to register an Identity provider with keycloak to make sure
they can correctly use App1. Some configuration options we came up
with are listed below. Has anyone else solved a similar problem?
OPTION 1
########################################################
# Keycloak
#
# ---> master realm
#
# ---> realm 1
#
# --- ---> app1_client (open ID)
#
# --- ---> salesforce_org1_saml2.0_identity_provider #
# --- ---> salesforce_org2_saml2.0_identity_provider #
#
#
# Salesforce
#
# ---> org1
#
# ---- ----> salesforce_appX (uses App1)
#
# ---> org 2
#
# ---- ----> salesforce_appX (uses App1)
#
# ---- ----> salesforce_appY (uses App1)
#
# .....
#
#
#
# App 1
#
# ---> OpenID to realm1 (using adapter)
#
########################################################
benefits
- single login page
- single realm
cons
- login page with infinite number of identity provider buttons present
OPTION 2
########################################################
# Keycloak
#
# ---> master realm
#
# ---> realm 1
#
# --- ---> app1_client (open ID)
#
# --- ---> salesforce_org1_saml2.0_identity_provider #
# ---> realm 2
#
# --- ---> app1_client (open ID)
#
# --- ---> salesforce_org2_saml2.0_identity_provider #
#
#
# Salesforce
#
# ---> org1
#
# ---- ----> salesforce_appX (uses App1)
#
# ---> org 2
#
# ---- ----> salesforce_appX (uses App1)
#
# ---- ----> salesforce_appY (uses App1)
#
# .....
#
#
#
# App 1
#
# ---> OpenID to realm1, realm2, realm#.... (using adapter) #
########################################################
benefits
- single salesforce button per login page
- users are more isolated in single realm
cons
- very hard to get App1 to support multiple realms (no adapter or
keycloak support)
6 years, 9 months
Shibboleth IdP configuration issues with Keycloak as SP
by robinfernandes .
Hi All,
We have a situation where the customer is using Shibboleth IdP and sending
the NAMEID in the transient format to Keycloak which acts as an SP.
However, we use one of the SAML attributes which is email to store that as
the username for the user.
However, after the first login, all subsequent logins fail with the error
"User with username already exists." I presume that this is because the
NAMEID which is transient is associated with that user somehow, and since
it is transient it is not able to associate that user correctly even though
we use email as the username?
Any insights on this would be helpful.
Thanks,
Robin
6 years, 9 months
Redirection issue with proxy behind keycloak
by Aritz Maeztu
I'm using keycloak to securize some Spring based services (with the
keycloak spring security adapter). The adapter creates a `/login`
endpoint in each of the services which redirects to the keycloak login
page and then redirects back to the service when authentication is done.
I also have a proxy service which I want to publish in the 80 port and
will take care of routing all the requests to each service. The proxy
performs a plain FORWARD to the service, but the problem comes when I
securize the service with the keycloak adapter.
When I make a request, the adapter redirects to its login endpoint and
then to the keycloak auth url. When keycloak sends the redirection, the
url shown in the browser is the one from the service and not the one
from the proxy. Do I have some choice to tell the adapter I want to
redirect back to the first requested url?
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
6 years, 9 months
Performance issues with Federation provider enabled
by Fabricio Milone
Hi all,
I sent this email yesterday with 5 or more attachments, so I think it was
blocked or something... here I go again :)
I've been running load tests on our application during the last few weeks,
and having some performance issues when my custom federator is enabled.
The performance issue does not exist when the federator is disabled.
*Configuration*:
I have a cluster of 2 instances of Keycloak, with a standalone DB, we've
verified the DB isn't an issue when the federator is disabled. Both
instances have a quad core CPU and they are in the same network. We’ve left
the memory at 512MB. The test script, database and API that connects to the
federator are in separate machines.
*Federator*:
We have a simple custom federator that makes calls to a very performant
api, which has been tested and is ok. Additionally, we've tested stubbing
the API so the performance is not a problem there. This federator is using
a jaxb marshaller to create a request, again tested in isolation and is
performing well.
As the federator is doing a lot of calls to the API (3 per login request),
I've implemented a httpclient that uses a
PoolingHttpClientConnectionManager with 1000 connections available to use,
instead of using the standard apache httpclient from http components. That
hasn't improved a bit the performance of the system.
*Tests*:
It is a gatling scala script that could generate around ~300 (or more)
requests/second to the direct grants login endpoint using random usernames
from a list (all of them already registered using KC). The script is doing
a round robin across both instances of Keycloak with an even distribution
to each KC instance.
The idea is simulate a load of 300 to 1500 concurrent users trying to login
into our systems.
*Problem*:
If I run the tests without using a federation I can see a very good
performance, but when I try to run the tests with the custom federation
code, the performance drops from ~150 requests/second to 22 req/sec using
both instances.
Memory wise, it seems to be ok. I've never seen an error related to memory
with this configuration, also if you take a look at the attached visualVM
screenshot you'll see that memory is not a problem or it seems not to be.
CPU utilisation is very low to my mind, I'd expect more than 80% of usage
or something like that.
There is a method that is leading the CPU samples on VisualVM called
Semaphore.tryAcquire(). Not quite sure what's that for, still investigating.
I can see that a lot of new threads are being created when the test starts,
as it creates around 60requests/second to the direct grants login call, but
it seems to be a bottleneck at some point.
So I'm wondering if there is some configuration I'm missing on Keycloak
side that could be affecting the cluster performance when a federator is
enabled. Maybe something related to jpa connections, infinispan
configuration or even wildfly.
I'd really appreciate your help on this one as I'm out of ideas.
I've attached some screenshots of visualVM and tests results from my last
run today.
Sorry for the long email and please let me know if you need further
information.
Thank you in advance,
Regards,
Fab
--
*Fabricio Milone*
Developer
*Shine Consulting *
30/600 Bourke Street
Melbourne VIC 3000
T: 03 8488 9939
M: 04 3200 4006
www.shinetech.com *a* passion for excellence
6 years, 9 months
Swedish translation
by Thomas Raehalme
Hi!
We need to translate Keycloak user interface (excluding admin console) to
the Swedish language. I was wondering if anyone has already done the
translation and would be willing to share it?
We have already translated Keycloak to Finnish and hope to share the
translation with the community in the near future.
Best regards,
Thomas
6 years, 9 months
Keycloak behind firewall
by Kevin Hirschmann
Hello,
when sending an authentication request it seems, that the keycloak
application uses the server url (from the request) to issue a request to
obtain a token.
The server sends a request to itself. I am running a wildfly instance behind
a transparent proxy and the firewall blocks requests from the wildfly server
to the IP address of the proxy. Is there a way to configure keycloak to send
intern requests to a different IP address?
Thx for your help
Kind regards
Kevin Hirschmann
HUEBINET Informationsmanagement GmbH & Co. KG
An der Königsbach 8
56075 Koblenz
Sitz und Registergericht: Koblenz HRA 5329
Persönlich haftender Gesellschafter der KG:
HUEBINET GmbH;
Sitz und Registergericht: Koblenz HRB 6857
Geschäftsführung:
Frank Hüttmann; Michael Biemer
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------
Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,
Koblenz via E-Mail dient lediglich zu Informationszwecken.
Rechtsgeschäftliche Erklärungen mit verbindlichem Inhalt können über dieses
Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
Dritte nicht ausgeschlossen werden kann.
Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
only intended to provide information of a general kind, and shall not be
used for any statement with binding contents in respect to legal relations.
It is not totally possible to prevent a third party from manipulating emails
and email contents.
6 years, 9 months
