Exposing federatedIdentity object in other locations
by Michael Anthon
I have a need to do some template manipulation based on the state of the federatedIdentity object for the user.
For example, if the user had a federated identity then we don't want them to be able to reset their password within Keycloak. In this case I want to alter the password.ftl to remove the password fields and display instead a message telling them to go to their IdP to update their password.
An extra property against the IdP to store a URL that we could use inside the template to provide a link to the right address to go to for resetting the password would also be awesome but a generic message would suffice in most cases (or we could store extra message strings including those URLs keyed on the IdP alias maybe)
It would also be useful in the main account template.ftl to show or hide the identity tab depending on whether they have any federations or not ( we have already modified federatedIdentity to hide any IdP that is not already linked to that user)
So, would this be possible or desirable, or is there another way to achieve what I want?
Thanks,
Michael
7 years
Mobile App, native login
by matteo restelli
Hi all,
we're planning to use Keycloak for a project and we're really excited about
that. The only thing that makes us thinking a little bit is the
authentication flow via native mobile app. I've already read that the
authentication via Webview or External Browser, using the Keycloak login
page, is the best practice. But we think that our mobile app designers
might prefer a native login form with some buttons for social login. How
can we do that?
1) For "direct" authentication via username & password we can use the
direct access grants mode, is it right?
2) What about the social login part? How can we authenticate users when we
receive the access token from an external identity providers such as
Facebook? We need to implement our custom Authenticators and then deploy
them with Keycloak?
I apologize because i know that this question has been asked a lot of
times, but we haven't been able to figure it out.
Thank you very much, have a nice day,
Matteo
7 years
additional realm properties in theme
by Gregor Tudan
Hi,
I would like to design a theme that has dynamic properties depending on the realm. Each customer would get their own realm but still use the same theme.
Is it possible to add additional fields to the realm (i.e. the customer address) and use them in the templates? For example, emails should contain a footer with the customers address and contact details.
Or is it possible to load an external properties file from the filesystem? Like „/opt/keycloak/themes/mytheme/common/customer1.properties“?
Thanks in advance!
Gregor
7 years
Unable to Store and Retrieve Group-Role relationship in LDAP
by abhishek raghav
Hi
I have a set of* Realm Roles* that is mapped to an certain *OU=Roles* in an
*MSAD*. Similar is the case for a set of *Groups*.
But when I *assign a group with a certain role, the assignment is visible
in Keycloak. But the same is not reflected on the AD.*
I mean, this mapping of role and group is *not stored in the "member" or
"memberof" attributes of either the respective group or the role*.
Please suggest is this functionality available using any mapper from
Keycloak to AD? Or do we need to create our own Custom Mapper? If yes, how?
*- Best Regards*
Abhishek Raghav
7 years
Disable Authenticator menu in user account service
by nicolas heldmaier
Hello,
I'm currently configuring keycloak, and i wont use OTP authenticator. But i
cant make the authenticator menu not to show in user account service.
i saw this sentence in the doc :
"The Authenticator menu item allows the user to set up OTP if they desire.
This will only show up if OTP is a valid authentication mechanism for your
realm"
But i dont find where to declare that OTP is not a valid authentication
mechanism.
Best Regards.
Nicolas.
7 years
Re: [keycloak-user] [keycloak-dev] Keycloak on active MQ
by Marek Posolda
Yes, I think that for that case the second login module
(BearerTokenLoginModule) is better choice. Your webapp has accessToken
already, so you just need to send it as "password" to JAAS. Probably
something like this should work:
connectionFactory.createConnection(username , accessTokenString);
Marek
On 02/04/17 21:20, Shankar_Bhaskaran wrote:
> Hi ,
>
> I was able to secure activemq behind keycloak using the direct access login module, but I specifically have to pass the username and password while getting a connection from active mq. The SSO aspect of keycloak is not fulfilled since I have to pass username , password from the webapplication. The activemq and my application share the same security domain also.
> connection = (ActiveMQConnection) connectionFactory.createConnection(username , password);
> Is there a way to get authenticated in ActiveMQ in the same user session as the web application that is calling the connection
>
> Regards,
> Shankar
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda@redhat.com]
> Sent: Wednesday, February 1, 2017 5:21 PM
> To: Shankar_Bhaskaran <Shankar_Bhaskaran(a)infosys.com>; keycloak-dev(a)lists.jboss.org; keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-dev] Keycloak on active MQ
>
> I didn't try that yet. However I think it should work as ActiveMQ has some support for JAAS. We have some JAAS login modules, which can be used to secure those kind of services. See docs for details https://keycloak.gitbooks.io/securing-client-applications-guide/content/v...
> .
>
> Marek
>
> On 01/02/17 10:26, Shankar_Bhaskaran wrote:
>> Hi ,
>>
>> We are using keycloak as SSO in our organization. I would like to know if securing activemq using keycloak is a valid use case. Does keycloak allow us to validate jms requests to the queue or topic?
>>
>> Regards,
>> Shankar
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
7 years
