OpenID 2.0 authentcation in keycloak
by Peter Nalyvayko
Hi,Can anyone suggest a library or an existing keycloak extension, or perhaps share their experiences with respect to enabling OpenID 2.0 authentication in keycloak, in addition to OIDC and SAML authentication? I am looking for a way to integrate keycloak with Kentico content management, however Kentico offers out of the box support for OpenID 2.0 and WS-Federation only (claims based authentication that is), and their out of the box implementation of ws-fed appears to be lacking compared to OpenID 2.0. Regards,Peter
8 years, 4 months
Re: [keycloak-user] Keycloak single sign on with Keberos(AD)
by Marek Posolda
||Adding list back again for tracking (Ray, please use "Reply all" when
reply to the mails).
From my googling, it seems that DefectiveTokenDetected can happen for
NTLM requests as well. Btv. I found some tips on StackOverflow how to
prevent use NTLM instead of Kerberos5
http://stackoverflow.com/questions/2973355/defective-token-deteced-error-...
. Maybe something from those will help:
- Use different machines for client (browser) and keycloak server
- Ensure both machines are in windows domain
- Use some different encryptions in kerberos client file. ( krb5.ini )
file. The post mentions "arcfour-hmac-md5" however the post is 6 years
old :) Still it might help to add/remove some encryptions from krb5.ini
file and check if client machine and IE will use krb5 ticket instead of NTLM
- Fix DNS records or "SPN records" (I don't have a clue what it is :) So
see post for more details)
Marek
On 29/06/16 16:41, Zhou, Limin (Ray) wrote:
>
> Marek
>
> I sent you two log files yesterday via two emails, I am able to see
> your analysis(such OID etc.) from the first log, but not the second
> logs, in the second log we were getting GSSException instead of the
> hand shake message, I am wondering why it likes this, and are they
> the same thing regarding my issues?
>
> Sorry to disturb you again
>
> Raymond
>
> P.S I have attached the two logs again for you to reference
>
> *From:*Zhou, Limin (Ray)
> *Sent:* Wednesday, June 29, 2016 10:18 AM
> *To:* 'Marek Posolda'
> *Subject:* RE: [keycloak-user] Keycloak single sign on with Keberos(AD)
>
> Marek
>
> Thank you so much for your analysis, I am wondering whether you can
> tell me how you mapped your diagnose with the server.log line#? I
> think this will help us more when we tuning either our bowser and
> domain setting, because I cannot see any 401 heading, first OID, the
> KRB5 OLD from the log file
>
> Really appreciate your help
>
> Raymond
>
> *From:*Marek Posolda [mailto:mposolda@redhat.com]
> *Sent:* Wednesday, June 29, 2016 4:01 AM
> *To:* Zhou, Limin (Ray)
> *Cc:* keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> *Subject:* Re: [keycloak-user] Keycloak single sign on with Keberos(AD)
>
> Hi Raymond,
>
> returning keycloak-user list back for tracking purposes.
>
> What I can see in the server.log is happening is that:
> - Keycloak ask browser to send SPNEGO token (by sending 401 with
> "WWW-Authenticate: Negotiate" header). So far everything as expected
> - Browser replies with SPNEGO token, however it uses NTLM as the
> preferred choice ( First OID is 1.3.6.1.4.1.311.2.2.10 ) together with
> NTLM token. The KRB5 OID ( 1.2.840.113554.1.2.2 ) is in the supported
> mechanisms too.
> - Keycloak replies with NegTokenTarg token when it's asking for
> sending SPNEGO token backed by KRB5 instead of NTLM (as Keycloak
> doesn't understant NTLM atm. There is related discussion on
> keycloak-user
> http://lists.jboss.org/pipermail/keycloak-user/2016-June/006758.html )
> - Browser doesn't respond to NegTokenTarg with SPNEGO+KRB5 token anymore
>
> Not sure what are your possibilities TBH. Either somehow setup browser
> to reply to second request with NegTokenTarg and send SPNEGO+KRB5
> token. Or re-configure your Windows domain (or client machines +
> browser) to skip using NTLM. Right now, I don't have any clue how to
> do that TBH.
>
> Marek
>
> On 28/06/16 21:58, Zhou, Limin (Ray) wrote:
>
> Hi Marek
>
> If you haven’t looked at my previous server.log, then use this one
> instead, in this log we were getting an exception
>
> *GSSException: Defective token detected (Mechanism level:
> GSSHeader did not find the right tag)*
>
> When we hit the url, maybe this will make things easier
>
> Please let me know if you need anything more
>
> Thanks a lot
>
> Raymond
>
> *From:*Zhou, Limin (Ray)
> *Sent:* Tuesday, June 28, 2016 10:00 AM
> *To:* 'Marek Posolda'
> *Subject:* RE: [keycloak-user] Keycloak single sign on with
> Keberos(AD)
>
> Hi Marek
>
> I have attached my keycloak server log to you, after adding the
> two properties, we can see an exception shows up when I hitting
> my url, after the exception, I think the default keycloak login
> page shows up, and rest of the log were generated by my manual login
>
> Hope this can give us some clue
>
> Thanks a lot
>
> Raymond
>
> *From:*Marek Posolda [mailto:mposolda@redhat.com]
> *Sent:* Tuesday, June 28, 2016 1:43 AM
> *To:* Zhou, Limin (Ray)
> *Subject:* Re: [keycloak-user] Keycloak single sign on with
> Keberos(AD)
>
> Thanks Raymond,
>
> is it possible to also enable the system properties
> |-Dsun.security.krb5.debug=true| and
> |-Dsun.security.spnego.debug=true and see if there are some more
> details in the log? You can add system properties either directly
> to standalone/configuration/standalone.xml file or by adding them
> to java opts in bin/standalone.conf|
>
> |Thanks,|
> |Marek|
>
> On 27/06/16 23:18, Zhou, Limin (Ray) wrote:
>
> Hello Marek
>
> Thanks for answering my post, following are the log piece
> after hitting the first page, hope this helps.
>
> Please let me know if you need anything more
>
> Thank you so much
>
> Raymond
>
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24) Debug
> is true storeKey true useTicketCache false useKeyTab true
> doNotPrompt true ticketCache is null isInitiator false KeyTab
> is C:\FIRMS-domain\kcsso.keytab refreshKrb5Config is false
> principal is
> HTTP/t430-pbdc41e.monad.moneris.com(a)MONAD.MONERIS.COM
> <mailto:HTTP/t430-pbdc41e.monad.moneris.com@MONAD.MONERIS.COM>
> tryFirstPass is false useFirstPass is false storePass is false
> clearPass is false
>
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24)
> principal is
> HTTP/t430-pbdc41e.monad.moneris.com(a)MONAD.MONERIS.COM
> <mailto:HTTP/t430-pbdc41e.monad.moneris.com@MONAD.MONERIS.COM>
>
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24) Will
> use keytab
>
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24)
> Commit Succeeded
>
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24)
>
> 2016-06-27 17:11:13,454 INFO [stdout] (default task-24)
> [Krb5LoginModule]: Entering logout
>
> 2016-06-27 17:11:13,454 INFO [stdout] (default task-24)
> [Krb5LoginModule]: logged out
> Subject
>
> *From:*Marek Posolda [mailto:mposolda@redhat.com]
> *Sent:* Monday, June 27, 2016 5:55 AM
> *To:* Zhou, Limin (Ray); keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> *Subject:* Re: [keycloak-user] Keycloak single sign on with
> Keberos(AD)
>
> It may help if you enable all the possible debug/trace logging
> and post the log here. This may give more info what is the
> issue. See docs how to enable logging :
> https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/top...
>
> Try to send the log from the point once you trigger the
> authentication request (or from the point when you hit your
> app URL)
>
> Thanks,
> Marek
>
> On 24/06/16 20:22, Zhou, Limin (Ray) wrote:
>
> Hello everyone
>
> I am new to Keycloak and new to here
>
> Our web application is running on Jboss EAP 7, We have
> configured KeyCloak standalone server 1.9.7 running on
> different port(same server box) to manage the user
> authentication and authorization, behind KeyCloak we have
> configured Keberos in User Federation to talk our company
> AD server, we are able to login by using our AD account,
> but not in single sign on way, each time when we hitting
> the our app URL, the Keycloak login page will show up.
>
> It looks like the TGT or ST hand shake was not successful,
> is there any document I can reference it to debug the issue?
>
> Any comments or suggestion would be very welcome
>
> thanks in advance
>
> raymond
>
> ------------------------------------------------------------------------
>
> Moneris Solutions Corporation | 3300 Bloor Street West |
> Toronto | Ontario | M8X 2X2 | Canada www.moneris.com
> <http://www.moneris.com> 1-866-319-7450
> If you wish to unsubscribe from future updates from
> Moneris, please click here
> <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
> Please see the Moneris Privacy Policy here
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
>
> This e-mail may be privileged and/or confidential, and the
> sender does not waive any related rights and obligations.
> Any distribution, use or copying of this e-mail or the
> information it contains by other than an intended
> recipient is unauthorized. If you received this e-mail in
> error, please advise me (by return e-mail or otherwise)
> immediately.
>
> ------------------------------------------------------------------------
>
> Corporation Solutions Moneris | 3300, rue Bloor Ouest |
> Toronto | Ontario | M8X 2X2 | Canada www.moneris.com
> <http://www.moneris.com> 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de
> Moneris, veuillez cliquer ici
> <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang...>.
> Veuillez consulter la Politique de confidentialité de
> Moneris ici
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc...>.
>
>
> Ce courriel peut contenir des renseignements confidentiels
> ou privilégiés, et son expéditeur ne renonce à aucun droit
> ni à aucune obligation connexe. La distribution,
> l’utilisation ou la reproduction du présent courriel ou
> des renseignements qu’il contient par une personne autre
> que son destinataire prévu sont interdites. Si vous avez
> reçu ce courriel par erreur, veuillez m’en aviser
> immédiatement (par retour de courriel ou autrement).
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ------------------------------------------------------------------------
>
> Moneris Solutions Corporation | 3300 Bloor Street West |
> Toronto | Ontario | M8X 2X2 | Canada www.moneris.com
> <http://www.moneris.com> 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris,
> please click here
> <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
> Please see the Moneris Privacy Policy here
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
>
> This e-mail may be privileged and/or confidential, and the
> sender does not waive any related rights and obligations. Any
> distribution, use or copying of this e-mail or the information
> it contains by other than an intended recipient is
> unauthorized. If you received this e-mail in error, please
> advise me (by return e-mail or otherwise) immediately.
>
> ------------------------------------------------------------------------
>
> Corporation Solutions Moneris | 3300, rue Bloor Ouest |
> Toronto | Ontario | M8X 2X2 | Canada www.moneris.com
> <http://www.moneris.com> 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de
> Moneris, veuillez cliquer ici
> <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang...>.
> Veuillez consulter la Politique de confidentialité de Moneris
> ici
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc...>.
>
>
> Ce courriel peut contenir des renseignements confidentiels ou
> privilégiés, et son expéditeur ne renonce à aucun droit ni à
> aucune obligation connexe. La distribution, l’utilisation ou
> la reproduction du présent courriel ou des renseignements
> qu’il contient par une personne autre que son destinataire
> prévu sont interdites. Si vous avez reçu ce courriel par
> erreur, veuillez m’en aviser immédiatement (par retour de
> courriel ou autrement).
>
> ------------------------------------------------------------------------
>
> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto |
> Ontario | M8X 2X2 | Canada www.moneris.com
> <http://www.moneris.com> 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris,
> please click here
> <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
> Please see the Moneris Privacy Policy here
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
>
> This e-mail may be privileged and/or confidential, and the sender
> does not waive any related rights and obligations. Any
> distribution, use or copying of this e-mail or the information it
> contains by other than an intended recipient is unauthorized. If
> you received this e-mail in error, please advise me (by return
> e-mail or otherwise) immediately.
>
> ------------------------------------------------------------------------
>
> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto |
> Ontario | M8X 2X2 | Canada www.moneris.com
> <http://www.moneris.com> 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de Moneris,
> veuillez cliquer ici
> <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang...>.
> Veuillez consulter la Politique de confidentialité de Moneris ici
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc...>.
>
>
> Ce courriel peut contenir des renseignements confidentiels ou
> privilégiés, et son expéditeur ne renonce à aucun droit ni à
> aucune obligation connexe. La distribution, l’utilisation ou la
> reproduction du présent courriel ou des renseignements qu’il
> contient par une personne autre que son destinataire prévu sont
> interdites. Si vous avez reçu ce courriel par erreur, veuillez
> m’en aviser immédiatement (par retour de courriel ou autrement).
>
> ------------------------------------------------------------------------
> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto |
> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris, please
> click here
> <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
> Please see the Moneris Privacy Policy here
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
> This e-mail may be privileged and/or confidential, and the sender does
> not waive any related rights and obligations. Any distribution, use or
> copying of this e-mail or the information it contains by other than an
> intended recipient is unauthorized. If you received this e-mail in
> error, please advise me (by return e-mail or otherwise) immediately.
> ------------------------------------------------------------------------
> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto |
> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de Moneris,
> veuillez cliquer ici
> <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang...>.
> Veuillez consulter la Politique de confidentialité de Moneris ici
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc...>.
>
>
> Ce courriel peut contenir des renseignements confidentiels ou
> privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune
> obligation connexe. La distribution, l’utilisation ou la reproduction
> du présent courriel ou des renseignements qu’il contient par une
> personne autre que son destinataire prévu sont interdites. Si vous
> avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement
> (par retour de courriel ou autrement).
8 years, 4 months
Forgot Password Rest Api Endpoint
by Tom Pearson
Hi,
Is there a way in the Rest Api to initiate the forgot password flow passing
over the username? Ideally the same thing the
*/auth/realms/{realm}/login-actions/reset-credentials...
*form does.
I know the */admin/realms/{realm}/users/{id}/reset-password *endpoint
exists but I can't even use it as a workaround as passing temporary=true
doesn't seem to force the user to reset their password on subsequent login.
Would be great if something like
*/admin/realms/{realm}/users/{id}/forgot-password
*were to exist.
Best regards,
Tom
8 years, 4 months
Re: [keycloak-user] AD FS - No assertion from response
by Marc Boorshtein
What does your authnrequest look like? ADFS is really fickle about format.
Common issues with the authnrequest are:
1. Nameidformat
2. Authncontextclassref
3. Sha1 signature
#1 is the biggest issue I see. You need to write a claims rule in adfs to
make sure it maps properly or just remove the nameidformat from the
authnrequest.
Marc Boorshtein
CTO, Tremolo Security, Inc.
On Jul 28, 2016 6:22 AM, "Robert van Loenhout" <r.vanloenhout(a)greenvalley.nl>
wrote:
Hi,
I’m trying to use Keycloak 2.0.0.Final with AD FS 2.0 as an identity
provider. I think I’ve set up everything, but I am getting an internal
error from keycloak.
The server log contains
2016-07-28 11:08:32,510 ERROR [io.undertow.request] (default task-37)
UT005023: Exception handling request to
/auth/realms/adfs-realm/broker/adfs/endpoint:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.broker.provider.IdentityBrokerException: Could not process
response from SAML identity provider.
The root cause is “No assertion from response”
So far the only information about this I have found so far is a keycloak
issue ticket
https://issues.jboss.org/browse/KEYCLOAK-3103
Has anyone got any luck using AD FS in combination with keycloak?
Is there any configuration I could change in AD FS or Keycloak or
workaround this problem?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8 years, 4 months
Redirect Programmatically to the Loginpage
by Alex Fernandes
Hi,
Im green to KeyCloak; Wanted to thank the community for it, so far looking
great.
I have an issue where I want to redirect the user the loginpage on the
KeyCloak server programmatically in Java;
the UseCase is:
We have a page that is partially visible and partiallly not (when not
logged in), so I can't protect it with url pattern;
We have a login button on that page that when the user is not logged and
pressed the button, we want to redirect to the loginpage (on keycloak) and
back to the page again.
I'm using the KeyCloak adapter core (running on tomcat8)
[image: Inline afbeelding 2]
I coppied this code from the: KeycloakOIDCFilter (
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/servlet-fi...
)
it does show a 302 in the logs but the page doesn't redirect;
Anyone has a clue about how to go about this?
Much Appreciated,
Cheers!
Alex
8 years, 4 months
KeyCloak multi-tenancy and third parties
by Haim Vana
Hi,
We are using KeyCloak with multi-tenancy, each realm represents a customer, in addition we are using a third parties (e.g. bloomfire and litmos) were we don't have much control over the code.
Those parties support SAML 2, however when a user access the third party how can KeyCloak know its tenant ? since we can't change the third parties, is it possible to somehow first ask the user its tenant and then redirect him to the login page ?
Any advice will be appreciated.
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
8 years, 4 months
AD FS - No assertion from response
by Robert van Loenhout
Hi,
I'm trying to use Keycloak 2.0.0.Final with AD FS 2.0 as an identity provider. I think I've set up everything, but I am getting an internal error from keycloak.
The server log contains
2016-07-28 11:08:32,510 ERROR [io.undertow.request] (default task-37) UT005023: Exception handling request to /auth/realms/adfs-realm/broker/adfs/endpoint: org.jboss.resteasy.spi.UnhandledException: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider.
The root cause is "No assertion from response"
So far the only information about this I have found so far is a keycloak issue ticket
https://issues.jboss.org/browse/KEYCLOAK-3103
Has anyone got any luck using AD FS in combination with keycloak?
Is there any configuration I could change in AD FS or Keycloak or workaround this problem?
8 years, 4 months
create authentication tokens
by Jhonnatan Orozco Duque
Hi,
I am new and im making a research about keycloak to check if can we use it in a new project that would be with Java and Ldap; i need to know how should i configure the keycloak to create authentication tokens?, because i havent found information about this specific topic.
thanks
Jhonnatan Orozco DuqueIngeniero de Software
8 years, 4 months
keycloak spring boot adapter admin url
by Robert van Loenhout
I'm using the keycloak adapter in my spring boot applications. I would like to use sign sign out. I added the openid-connect logout link to a page.
To let the keycloak server send signout requests to my web applications via the back channel I think I should configure the admin URL for each (spring boot) client.
Does the spring boot keycloak adapter implement the admin endpoint? And if so under which url is it available?
8 years, 4 months
Browser Caching in Custom Theme not working
by Chris Hairfield
Hello,
We've started deploying our custom login and account themes to persistent
environments and are finding that our browser caches aren't updating
properly as we push code. We are using Docker, so upgrades entail
destroying the existing container and starting a new one with our updates.
An instance of this is with the Join functionality where the form itself
didn't show after an upgrade, but we worked around it by entering an
incognito window.
This is the approach we've learned to use when developing as well: test in
an incognito window.
I'm curious, what are your suggestions for deploying Keycloak in such a way
as to properly update client browsers when our themes are updated?
Thanks!
Chris
8 years, 4 months
