SAML AuthnContext
by Muein Muzamil
Hi all,
We are trying to configure OpenAM as SAML client with KeyCloak, as part of
SAML request it sends PasswordProtectedTransport AuthnContext (as shown
below) and it expects this back as part of SAML response.
<samlp:RequestedAuthnContext
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"Comparison="exact">
<saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
Currently, KeyCloak always returns unspecified as AuthnContext, is there
any way to return back AuthnContext what KeyCloak received in the request?
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
Regards,
Muein
9 years, 2 months
Conflict with LastPass Chrome Extension
by Alessandro Segatto
Hi,
we found a conflict between LastPass chrome extension (version 4.1.38) and
Keycloak js adapter (version 2.5). LastPass is sending a message to login
status iframe, which crashes while trying to parse it! I think LastPass
caused the issue with his last update , but i think you should also be
interested in solving this lack of robustness. If you agree, I can open an
issue o Jira.
I made an attempt also with angular2-product-app , but i run into a similar
issue (LastPass and Keycloak messaging one the other, then crashing)
Thanks,
Alessandro Segatto
--
Ing. Alessandro Segatto
Software Engineer
Research and Development
*ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com
Pursuant to Legislative Decree No. 196/2003, you are hereby informed that
this message contains confidential information intended only for the use of
the addressee. If you are not the addressee, and have received this message
by mistake, please delete it and immediately notify us. You may not copy or
disseminate this message to anyone. Thank you.
9 years, 2 months
Validation of IdP SAML signatures using KeyInfo
by Mark Pardijs
Hi,
Originally posted at the keycloak-dev list, Hynek Mlnarik asked me to post this here.
We use a SAML IdP which is configured in Keycloak as federated IdP, and I’ve a question concerning the validation of SAML signatures. In Keycloaks Identity provider config page, the validating X509 Certificates can be configured, with description “The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).” but in the code, I see that for checking the signatures a “HardcodedKeyLocator" is used, which does not use the keyName provided in the SAML but always returns the first configured certificate. See org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a HardcodedKeyLocator for details.
This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see commit https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c7....
My two questions concerning this approach:
1. Keycloak is currently expecting a <KeyInfo> element with a <KeyName> in the incoming SAML message, while this is not a required element in the SAML specs. Are there plans to check the signature against the configured X509 certificates without having to provide a KeyInfo element? Currently I”m facing a NullPointer exception when sending a SAMLResponse without KeyInfo element.
2. What’s the idea behind the HardcodedKeyLocator, it doesn’t seem to match with the multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach which should be extended?
Hope to hear your thoughts on this!
Mark
9 years, 2 months
UserFederationProvider
by Amit Arora
Hi,
I was using UserFederationProvider in 2.2.0 , now i can not find this class
in 2.5.1 .. what is the equivalent to it. I have my code written based on
this,
Thanks
Amit
9 years, 2 months
Authenticator implementation
by Amit Arora
I was implementing Authenticator in 2.2.0 version , in 2.5.1 it is not
working , it is not recognising the class
org.keycloak.authentication.Authenticator;
What needs to be done in this version
Amit
9 years, 2 months
Return 503 (Service Unvailable) instead of 404 (File Not found) during keycloak server restarts
by Thomas Darimont
Hello group,
the undertow servlet-container is started pretty early during the startup
of the
wildfly application server. However the initialization of the keycloak
server
application might take a while to complete. Within this period requests
that are
sent to the keycloak endpoints result in responses with HTTP Status Code
404.
Is it possible to configure undertow to return a HTTP Status Code 503
(Service Unvailable)
until the keycloak application startup has completed?
This would ease configuring load-balancers and to avoid showing a 404
to users during server restarts.
Cheers,
Thomas
9 years, 2 months
Missing federation-provider since version 2.5.0
by Tech
Dear experts,
from version 2.5.0 we noticed the lack in the examples of:
keycloak-examples-2.4.0.Final/providers/federation-provide
Will this integrated back from version 2.6.0?
Thanks!
9 years, 2 months
Re: [keycloak-user] user storage ldap or keycloak
by Istvan Orban
Thanks for the info.
Is it possible then to do the following
1, several users are created in keycloak during 1 or 2 year period let's
say 4000
3, existing users are exported from keycloak
4, users are imported into ldap
5, later down the line an ldap federation is added which is connected to
the new ldap
6, what sort of SPI do I need to write in order to link the existing
keycloak users to the ldap federation provider ?
is this possible ?
thanks a lot !
3, link the user from Java code somehow so that it
> Date: Fri, 27 Jan 2017 19:14:47 -0500
> From: Bill Burke <bburke(a)redhat.com>
> Subject: Re: [keycloak-user] user storage ldap or keycloak
> To: Marek Posolda <mposolda(a)redhat.com>, keycloak-user(a)lists.jboss.org
> Message-ID: <ae08ac3f-a547-8e45-c6d5-c6d14c8b9d91(a)redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> > Users have to be linked to sync.
>
>
> On 1/27/17 3:25 PM, Marek Posolda wrote:
> > Bill, do we have OOTB support for the usecase, when you have just
> > local Keycloak users. Then at some point you want to add LDAP (or any
> > other provider) and then sync existing Keycloak users to that
> > StorageProvider? I guess not?
> >
> > Marek
> >
> >
> > On 27/01/17 15:25, Bill Burke wrote:
> >> I have no idea on the passwords. It is a standard algorithm we use.
> >> But you could might be able to a) use keycloak stored passwords, b)
> >> require password update, c) store new passwords in LDAP as they are
> >> updated and entered.
> >>
> >>
> >> On 1/27/17 2:48 AM, Istvan Orban wrote:
> >>> Thanks for this. I am glad to hear it. it can be our central user
> >>> store.
> >>>
> >>> I am wondering about one single question. Suppose down the line we
> >>> want to
> >>> upgrade to LDAP sometime in the future. Of course we can export the
> >>> user
> >>> data but the passwords are hashed.
> >>>
> >>> Will be able to import users into an LDAP store without having to reset
> >>> every single user's password ?
> >>>
> >>> Thanks a lot!
> >>>
> >>> ------------------------------
> >>>> Message: 4
> >>>> Date: Thu, 26 Jan 2017 14:14:36 -0500
> >>>> From: Bill Burke <bburke(a)redhat.com>
> >>>> Subject: Re: [keycloak-user] user storage ldap or keycloak
> >>>> To: keycloak-user(a)lists.jboss.org
> >>>> Message-ID: <1424da64-3570-39ba-8200-1e3fb95716f9(a)redhat.com>
> >>>> Content-Type: text/plain; charset=windows-1252; format=flowed
> >>>>
> >>>> Keycloak can handle responsibilities of a main user store and I would
> >>>> recommend you do that. The few customers that I've seen take your
> >>>> approach struggled a bit with tuning LDAP to get it to perform well.
> >>>> With Keycloak only store, there's just one less moving part you
> >>>> have to
> >>>> worry about, tune, and debug.
> >>>>
> >>>> The disadvantage is that you'll have to migrate from Keycloak DB to
> >>>> LDAP
> >>>> or something if you ever want to ditch Keycloak.
> >>>>
> >>>> Another option: using the User Storage SPI you do have the option to
> >>>> retain your legacy user store.
> >>>>
> >>>>
> >>>> On 1/26/17 2:00 PM, Istvan Orban wrote:
> >>>>> Dear Keycloak users.
> >>>>>
> >>>>> I am very new to keycloak and I really like it. it is great.
> >>>>>
> >>>>> I am currently migrating a legacy app ( using it's own user
> >>>>> management
> >>>> ) to
> >>>>> support SSO.
> >>>>>
> >>>>> I have set-up keycloak with openid connect and it works very well. At
> >>>> this
> >>>>> point we need to decide
> >>>>> if we will use keycloak as our main user store or we will set-up
> >>>>> an LDAP
> >>>> .
> >>>>> My question is that. Is keycloak designed in a way that it can
> >>>>> fullfil
> >>>> all
> >>>>> the responsibilities of the main user store?
> >>>>>
> >>>>> Any risk with this at all?
> >>>>>
> >>>>> ps: our userbase is small and at this point I am not sure if we
> >>>>> want to
> >>>> add
> >>>>> ldap just for this.
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
>
9 years, 2 months
Build token parameters over an API
by Avinash Kundaliya
Hello,
I have been thinking If it's possible to create a custom mapper that could
call an API and add some parameters (or sub parameters) to the JWT Token
that is generated?
If yes, are there any examples how to do so and what data is available to
the mapper? ( the user? Requested scope? ...)
Regards,
Avinash
9 years, 2 months
Re: [keycloak-user] user storage ldap or keycloak
by Istvan Orban
Thanks for this. I am glad to hear it. it can be our central user store.
I am wondering about one single question. Suppose down the line we want to
upgrade to LDAP sometime in the future. Of course we can export the user
data but the passwords are hashed.
Will be able to import users into an LDAP store without having to reset
every single user's password ?
Thanks a lot!
------------------------------
>
> Message: 4
> Date: Thu, 26 Jan 2017 14:14:36 -0500
> From: Bill Burke <bburke(a)redhat.com>
> Subject: Re: [keycloak-user] user storage ldap or keycloak
> To: keycloak-user(a)lists.jboss.org
> Message-ID: <1424da64-3570-39ba-8200-1e3fb95716f9(a)redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> Keycloak can handle responsibilities of a main user store and I would
> recommend you do that. The few customers that I've seen take your
> approach struggled a bit with tuning LDAP to get it to perform well.
> With Keycloak only store, there's just one less moving part you have to
> worry about, tune, and debug.
>
> The disadvantage is that you'll have to migrate from Keycloak DB to LDAP
> or something if you ever want to ditch Keycloak.
>
> Another option: using the User Storage SPI you do have the option to
> retain your legacy user store.
>
>
> On 1/26/17 2:00 PM, Istvan Orban wrote:
> > Dear Keycloak users.
> >
> > I am very new to keycloak and I really like it. it is great.
> >
> > I am currently migrating a legacy app ( using it's own user management
> ) to
> > support SSO.
> >
> > I have set-up keycloak with openid connect and it works very well. At
> this
> > point we need to decide
> > if we will use keycloak as our main user store or we will set-up an LDAP
> .
> >
> > My question is that. Is keycloak designed in a way that it can fullfil
> all
> > the responsibilities of the main user store?
> >
> > Any risk with this at all?
> >
> > ps: our userbase is small and at this point I am not sure if we want to
> add
> > ldap just for this.
> >
> >
> >
>
--
Kind Regards,
*----------------------------------------------------------------------------------------------------------------*
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *
9 years, 2 months
