Multi Tenant Multi Application SSO
by jay.bhatt
hello,
Please pardon my limited knowledge of keycloak. I have tried my best to
learn through online resources (forums, blogs, youtube). However I could not
find much info for my specific use case -
I have a set of cloud multi tenant saas applications/services. (also refer
the image attached herewith).
Main application would allow our customers to register their account. Here
account will represent the organisation to which the customer belongs.
Also, the person who registered the account will be the first user (Admin)
in that newly registered account. He can then invite the other users through
email to his org account.
An user can be invited from more than one organisation accounts.
So we have one application multiple org accounts each having multiple users.
Some organisation could have their own requirements for authentication (e.g.
LDAP, SAML)
My questions are -
1) Do I need to create one realm and multiple groups (one group per
organisation) Or i need one realm per organisation?
2) If I have one realm only then can i have different authentication per
organisation?
3) Which is the suggested way for single sign on in my use case? i.e. Should
i go for IdP originated or SP originated SSO?
4) Should i have one domain for all tenants and ask for organisation
information at user login? or should i use subdomain to separate the
tenants?
Based on the responses, I may have further questions.
Thank you very much.
<http://keycloak-user.88327.x6.nabble.com/file/n3255/Capture.jpg>
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Multi-Tenant-Multi-Application-S...
Sent from the keycloak-user mailing list archive at Nabble.com.
9 years
Using postman to test keycloak protected app
by Stephane Granger
Hi,
I'm having problems setting up a postman collection to test my REST APIs.
I have first created the REST API without protecting it and test it with
Postman without a problem.
I then added protection with Keycloak and ran into issues with Postman (403
error). I wasn't sure if the problem was in my authorization
configuration or in my Postman collection. So, to make sure it wasn't an
authorization configuration problem, I decided to create a Postman
collection and use the photoz example as a model. In my Postman script, I
want to access photoz-restful-api but I'm still getting 403 error. The
photoz example does work when I use my web browser.
Here's what I did:
I added a postman client in keycloak under the photoz realm:
Client Id: postman
Protocol: openid-connect
Access Type: public
Direct Access enabled: ON
In Postman, I created 2 requests, one to get a token and the other one to
retrieve the list of album for the jdoe user
Here are the 2 requests:
POST http://localhost:8080/auth/realms/photoz/protocol/openid-connect/token
Content-Type:"application/x-www-form-urlencoded"
with the following body:
client_id:postman
grant_type:password
username:jdoe
password:jdoe
I'm receiving a this response: (token truncated for readability)
{
"access_token": "eyJhbGciOiJS...",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJS...,
"token_type": "bearer",
"id_token": "eyJhbGciOiJSUzI1N...",
"not-before-policy": 0,
"session_state": "cf71f9c6-78cc-4a41-8026-aca4eb86c9cd"
}
In the Tests tab of the request (still in postman), I extracted the access
token out of the response like this:
var tokens=JSON.parse(responseBody);
postman.setGlobalVariable("kcAccessToken", tokens.access_token);
===============
Here's how I created the GET album request
GET http://localhost:8080/photoz-restful-api/album/
Headers:
key=Authorization
value=Bearer {{kcAccessToken}}
I'm getting a 403 Forbidden error.
I obviously do something wrong. Can anybody please tell me what I do wrong?
Thanks,
Stephane
9 years
Access Control for an IoT environment
by Mehdi Sheikhalishahi
Hi,
I'd like to validate my solution based on KeyCloak for securing access to
sensors.
Our environment consists of a dashboard, a sensors service (a database of
sensors), and KeyCloak. We need to display the list of sensors associated
to the authenticated user in the dashboard, and implement Access Control to
sensors. A user can have different accesses to different sensors. For
simplicity, we define read, and write access types.
Our solution is to use User Attributes; for that we create two user
attributes for each user: one for read, and one for write. And the value of
each attribute will be the list of sensors. This list states that the user
has this type of access to this list of sensors. Hence, this is a database
that can be used for defining policies.
For presentation, we simply can read these attributes and present them in
the Dashboard with appropriate columns to present read and write accesses.
We need to implement another operation that is called evaluation of
authorization requests. That is when a user sends a request to access a
sensor for an access type (read or write), this request should be evaluated
(validated) by KeyCloak. Here is the place in which KeyCloak policies come
into the place. For that, we need to write a policy (an attributed based
policy, or a mix kind of policy, such as JavaScript?) to evaluate if this
user is authorized to perform such an operation. The output of this
operation is allow or deny. If the evaluation results is allow, then the
request will be sent to the database of sensors, and the result of this
operation will be returned back to the Dashboard for the user.
My questions are as the following:
- Is this solution approach the right one?
- How we provide the access request for KeyCloak? So policy, we will have
all inputs that we need for evaluation, that is user information, requested
sensor, and requested access type?
Thanks,
Mehdi
9 years
Example provider/domain-extension
by ko lo
Hi!
I try understand how to work this example. I execute request add company.
And I get error
java.lang.NoClassDefFoundError: javax/persistence/EntityManager
What can I do to make an example ?
9 years
JavaScript client, iframe and IE
by Thomas Raehalme
Hi!
Has anyone encountered any problems with a JavaScript client running on
Internet Explorer?
It seems that IE applies some restrictions regarding <iframe /> and
cookies. Unless the Keycloak server in question returns a P3P header, IE
does not allow any cookies to be set by Keycloak inside the <iframe> on a
JavaScript client.
Here's Microsoft's blog post regarding the issue:
https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/
If I have understood correctly IE doesn't really care about the header's
value as long as it has been set. For example Google returns:
P3P: CP="This is not a P3P policy! See
https://www.google.com/support/accounts/answer/151657?hl=en for more info."
What do you think, should Wildfly in the Keycloak distribution add the P3P
header by default?
Best regards,
Thomas
9 years
Session invalidation upon role changes?
by Dmitry Korchemkin
Is there a built-in way to invalidate session upon role changes in IDP?
I imagine the following scenario:
- user logs in, mapper gives him role X.
- user, using role x, gains access to some resource or application.
- admin removes role X from user on IDP side.
- user needs to be logged out after that, since he doesn't have access to
this resource anymore.
I've tried removing roles in Keycloak UI and it doesn't seem to invalidate
the session by default.
I know OIDC/SAML can store additional info in its tokens and we can
probably use it to carry roles information in refresh tokens and check it
on application side, but maybe there's already a way to do this with some
Keycloak configuration?
9 years
Different username for direct access grant?
by Guus der Kinderen
Hi!
We're integrating our Java application with Keycloak using JAAS. We're
making use of org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule
For this application, we'd like the users to authenticate with a username
that is different from the "username" property in the Keycloak UserModel.
Instead, we'd like to use the Keycloak ID.
I had thought that changing the "username" protocol mapping for the client
that is used would do the trick. I changed the value for the "property"
field from "username" to "id" - that does not have the desired effect, as
users can still log in with their 'username' (instead of the UUID value
that is the Keycloak ID.
What is my mistake?
Regards,
Guus
9 years
CORS response headers
by Ricardo Barroetaveña
Hi all,
We're a securing a client-side js app with Keycloak and we notice it's not
adding CORS headers when response status code is not successful.
Browser complains about missing 'Access-Control-Allow-Origin' header and it
hides resource error code.
Is there any reason it's not adding the header under this error condition?
Is it a security issue?
Thanks for the help!
Ricardo.
9 years
Getting parsing error while posting client_assertion in Keycloak 2.2.1.Final (Offline Access)
by Jyoti Kumar Singh
Hi Team,
We are using Keycloak Tag 2.2.1.Final for our sample code for offline
access flow through signed JWT, where we are passing offline_token
(refresh_token) as "client_assertion" through JWTClientCredentialsProvider
API call.
We are getting "Parsing error" at Keycloak end (JWSInput.java) as I could
see Keycloak API is parsing client_assertion as (parts.length < 2 ||
parts.length
> 3).
That means refresh_token parts should be less than 2 or greater than 3, but
the client_assertion which we have is always has 3 parts (i. header, ii.
payload and iii. Signature).
Could you please suggest what is the significance of above mentioned logic.
Or is there anything we are missing in "client_assertion".
--
*With Regards, Jyoti Kumar Singh*
9 years
