April 2017 - keycloak-user - Jboss List Archives

Re: [keycloak-user] SAML response parsing failed

by Erwin Steffens | Rovecom

Here it is: https://www.dropbox.com/s/gjuems7k6nkjs19/connectis-saml-response-raw.xml... ----------------------------- Rovecom Erwin Steffens | Rovecom softwareontwikkelaar Elbe 2, 7908 HB Hoogeveen Postbus 2126, 7900 BC Hoogeveen 0528 22 35 35 Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom. Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser. ----------------------------- -----Oorspronkelijk bericht----- Van: Hynek Mlnarik [mailto:hmlnarik@redhat.com] Verzonden: woensdag 26 april 2017 11:48 Aan: Erwin Steffens | Rovecom <esteffens(a)rovecom.nl> Onderwerp: Re: [keycloak-user] SAML response parsing failed Could you please store the SAML response to e.g. google drive/dropbox/... and send here a link to it? --Hynek On Wed, Apr 26, 2017 at 11:32 AM, Erwin Steffens | Rovecom <esteffens(a)rovecom.nl> wrote: > > > We are integrating Keycloak with a SAML identity provider (dutch government). We seem to receive a valid response from the other party but Keycloak does seam to be able to parse the SAML response. > > The error we get is: > > 09:08:41,029 ERROR [io.undertow.request] (default task-14) UT005023: > Exception handling request to > /realms/datahub/login-actions/first-broker-login: > org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeEx > ception: java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "ds" > > When we run the received XML through a validation tool (https://www.samltool.com/validate_xml.php) it indicates that it is valid. > > Can I somehow attach the XML here? > > Erwin > > > > > ----------------------------- > Rovecom > > Erwin Steffens | Rovecom > softwareontwikkelaar > > Elbe 2, 7908 HB Hoogeveen > Postbus 2126, 7900 BC Hoogeveen > 0528 22 35 35 > > > Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom. > Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser. > > > ----------------------------- > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek

7 years, 8 months

2
4
0 / 0

Integrating with Stripe

by Marc Coleman

Hi, I would like to extend the registration and account pages to collect payment details using Stripe. Since I am using the docker container, I thought it may be easiest to pass the Stripe token and an API endpoint as environment variables to the container. Then, by extending the themes, I could collect the card details using Stripe.js and send the token to my API to create a customer token that I could add to user attributes in Keycloak. I know that environment variables are not currently accessible in the freemarker templates so if this is considered a reasonable use-case I'd be willing to open an enhancement request; otherwise I would be interested in alternative solutions. Thanks! Marc

7 years, 8 months

1
0
0 / 0

Keycloak is throwing invalid_authn_request error for SAML Client

by Jyoti Kumar Singh

Hi Team, We have integrated SAP HANA system as a Service Provider with the Keycloak 2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which needs to be imported at Service Provider end. But while saving the "SAML Metadata IDPSSODescriptor" at Service Provider end, SingleSignOnService Location is getting saved with addition of 443 port number in the Destination URL. For example, If Keycloak is providing IDP SingleSignOnService Location as " https://test.example.com/auth/realms/zzz/protocol/saml", Service Provider is saving it as "https://test.example.com:443/auth/realms/zzz/protocol/saml ". Once Service Provider is making a AuthnRequest Call to Keycloak, it is sending Destination URL as " https://test.example.com:443/auth/realms/zzz/protocol/saml" as part of AuthnRequest. As the destination URL contains ":443" extra, Keycloak is refusing to accept it and throws "error=invalid_authn_request, reason=invalid_destination" error. Looks like Keycloak is very strict about destination URL matching which is sent from SP as part of AuthnRequest. Do we have any option in Keycloak which will accept the Destination URL with port number in AuthnRequest or is there any work around to handle this? Please let me know for any other information regarding this. -- *With Regards, Jyoti Kumar Singh*

7 years, 8 months

3
3
0 / 0

Logout endpoint JSON Response

by matteo restelli

Hi all, calling the logout endpoint returns, if the call succeded, a 204 HTTP CODE (No-Content). Is that a standard OIDC behaviour? It is possible to return some sort of JSON and another HTTP CODE (like 200)? Thank you in advance, Matteo

7 years, 8 months

1
0
0 / 0

Angular2 app (js adapter) https proxy problem

by Anders KK

Hi guys, We have a problem related to our network setup, proxying and https. *Our development setup* Deployed in a docker container: Keycloak server on address http://192.168.99.100:8180 Resource server on address http://192.168.99.100:8080 Angular2 app on local address https://127.0.0.1 running behind reverse proxy Hosts file mapping from saml.example.com to 127.0.0.1 We are utilizing the javascript adapter provided by keycloak and the auth URL is set to https://saml.example.com/auth The proxy will propagate requests on /auth to http://192.168.99.100:8180 *The problem* Calling the js adapter init function takes us to: https://saml.example.com/auth/realms/myrealm/protocol/openid-connect/auth... however, after typing in the credentials the browser tries to access the following URL which is not understood by the proxy (http rather then https): http://saml.example.com/auth/realms/myrealm/login-actions/authenticate... Any suggestions appreciated :) Ulrik and Anders -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Angular2-app-js-adapter-https-pr... Sent from the keycloak-user mailing list archive at Nabble.com.

7 years, 8 months

1
0
0 / 0

Maintain 300 realms challenge

by Kevin Berendsen

Hi community! I've got a very interesting challenge and I'd like some your opinions. We've got to maintain countless separate LDAPs with identical schemas and configurations. The problem is, the users may have identical usernames in the separate LDAP instances so fusing every LDAP into one is not an option at the moment. Maybe in the future but not now. So I came with a couple solutions: 1) Each LDAP will have its own realm so all the LDAPs keep isolated from each other. Each realm with have identical clients and general configuration. To tackle the issue to lower maintenance time is to develop a tool on the Keycloak Admin Client API to be able to make bulk updates on ALL the realms. As it's quite hard to track which realm has which change/update, I came up with the idea to create a single Realm that will act as a template and every time I update the Realm by adding a new Client for example, it'd perform the very same action on ALL other realms. Pros: You can manage all realms as one and every LDAP stays isolated. Cons: Huge load on the Keycloak (I think) and takes quite some time to develop the tool. 2) Create a single realm, have countless User Federations and the username will have a prefix (id of the User Federation). Then again, a tool will be developed to easily maintain the User Federations, Pros: Single realm to maintain Cons: I don't like the thought of having countless User Federations but I think that might be a misplaced feeling. So what do you guys thinks :) For those whom reply, thanks in advance, your efforts will be appreciated! Kind regards, Fanatic Keycloak User Kevin

7 years, 8 months

1
0
0 / 0

JAX-RS @PermitAll with invalid token fails

by Georg Henkel

Hi there, I am trying to setup a JAX-RS webservice with keycloak authentication and want to use the Java EE security annotations (@PermitAll, @RolesAllowed). My current implementation works well with one exception: If I have set an invalid bearer token in the authorization header the TokenVerifier throws a VerificationException stating: Token is not active. I fully understand why it is thrown and that the token is checked before the routing in JAX-RS starts. But if I use @PermitAll I want that everyone reagrdless of any authorization header can access the resource. How can I handle this use case? P.S.: If I access the resource without a token, than I get the correct result from the webservice. Best regards Georg

7 years, 8 months

1
0
0 / 0

Keycloak 3.1.0.CR1 Released

by Stian Thorgersen

Keycloak 3.1.0.CR1 has just been released. To download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. Highlights - *X509 Certificate user authentication* - Thanks to Peter Nalyvayko <https://github.com/brat000012001> for the contribution - *Proof Key for Code Exchange by OAuth Public Clients* - Thanks to Takashi Norimatsu <https://github.com/tnorimat> for the contribution - *WildFly Elytron adapters* - Adapters for Elytron, a new security subsystem coming in WildFly 11 and EAP 7.1 - *TypeScript type definitions for keycloak.js* - Simplifies using keycloak.js from TypeScript - *Identity Provider for Openshift* - Thanks to Bartosz Majsak <https://github.com/bartoszmajsak> for the contribution The full list of resolved issues is available in JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> . Upgrading Before you upgrade remember to backup your database and check the migration guide <https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationF...>. Release candidates are not recommended in production and we do not support upgrading from release candidates.

7 years, 8 months

1
0
0 / 0

Passing information from custom Authenticator to a Token

by Thomas Darimont

Hello group, I need to pass some information form a custom Authenticator to the IDToken/AccessToken. One way I found to do that is by using UserSessionNotes and a "User Session Note" Protocol Mapper defined in a client template which is shared by all clients. public void authenticate(AuthenticationFlowContext context) { ... context.getClientSession().getUserSessionNotes().put("someKey","someValue"); ... } is this the intended way to do this sort of things? Cheers, Thomas

7 years, 8 months

4
4
0 / 0

Issues with Keycloak and AD

by Charles Hardin

Hello All, I have setup an instance of Keycloak 3 and connected it to AD. It is setup to sync users and is writeable edit mode. I also have Pasword Policy Hints enabled in the MSAD Account Controls mapper. I have user registration turned on in Keycloak. When I register a user in keycloak, it creates the user in a disabled state in AD, and prompts the user in keycloak to change the password they just set during account creation to activate the account. This then fails because AD is currently configured to enforce a minimum password age of one day. I am ok with the account being created disabled, but how do I get around the immediate 2nd password request? Thanks, Chuck

7 years, 8 months

3
13
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user April 2017