New to Keycloak - stuck trying to setup SSO via Kerberos and Active Directory
by Consolodated Emails
Hi all,
I have a big project due by end of the week and the last item I have to
deliver is Single Sign On for Active Directory users using IE,Firefox &
Chrome. I am able to login to my application if i use the Keycloak login
form but I can't get it to auto login. If I set Kerberos to Required under
Authentication, I get an error saying Kerberos is not setup. You cannot
login.
Currently I'm investigating these as possible causes:
my browser doesn't seem to be passing Kerberos to Keycloak. I'm using
Fiddler to check headers but I can't get a clear understanding of what I
should look for. The best I can tell WWW-Authenticate Negotiate being sent
to me in the 401 response. I guess my browser isn't sending the Kerberos
credentials.
I'm using a NGINX proxy in front of my application. I've found some
evidence of people updating configuration files in order to make this work
properly. But I'm not sure this applies to me, since my proxy doesn't sit
in front of the keycloak server.
https://hub.docker.com/r/computersciencehouse/keycloak/~/dockerfile/
/jboss/keycloak/standalone/configuration/standalone.xml
I don't think Kerberos is setup up properly under User Federation/Active
Directory (my LDAP's Config name).
II pieced together some information from Matt's article on using Keycloak
to authenticate with AD. He didn't go in to any detail about Kerberos
configuration for Active Directory. One line "Configure the Kerberos
integration like this:" and a screenshot is all I had to work with. After
doing some reading I'm left to think there is an important step that is
left out of all the articles, forum posts, user manual, etc. From what I
can tell I have to run a command in the container to create a Keytab and it
has to have the proper permissions for Keycloak to access it. I also think
I have to setup /etc/kerb5.conf but I'm not sure what I need to do exactly.
I can't find an article directly discussing Keycloak.
http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-...
My Env:
Windows Server 2012 R2
AWS Ec2
Active Directory
Pseudo workstation (I'm logging on as a non-domain admin for testing).
Keycloak
AWS Ec2
Docker - Jboss/Keycloak:latest
Ubuntu 16:04 Host:
Container is Redhat based (obviously it's jboss).
Ruby on Rails 1.8.7 application
AWS Ec2
Nginx Proxy in front of it.
OpenID client connected to KeyCloak
Under User Federation:
I've created an Active Directory Provider, it's able to sync users from my
test Active Directory.
Authentication:
Kereberos
Any help would be really appreciated.. I'm in a real tough spot on this
project.
-Dustin
7 years, 8 months
java.net.ConnectException: JBAS012144: Could not connect to http-remoting://127.0.0.1:9990
by Tanudjaja, Francisco
Hi,
I've followed the instructions on
https://keycloak.gitbooks.io/documentation/content/
authorization_services/topics/getting-started/hello-world/deploy.html
I have the following keycloak.json in the 'config' directory of
~/path/to/keycloak-quickstarts/app-profile-jee-vanilla
"""
{
"realm": "Foo",
"auth-server-url": "http://localhost:8180/auth",
"ssl-required": "external",
"resource": "fclient",
"credentials": {
"secret": "0749b4fc-db40-410a-ac2c-8837ce206c5d"
},
"policy-enforcer": {}
}
"""
Got the following error and wasn't able to find any references to port 9990
in the configuration.
[ERROR] Failed to execute goal org.wildfly.plugins:wildfly-
maven-plugin:1.0.1.Final:deploy (default-cli) on project
keycloak-app-profile-jee-vanilla: Could not execute goal deploy on
/Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-vanilla/target/vanilla.war.
Reason: I/O Error could not execute operation '{
[ERROR] "operation" => "read-attribute",
[ERROR] "address" => [],
[ERROR] "name" => "launch-type"
[ERROR] }': java.net.ConnectException: JBAS012144: Could not connect to
http-remoting://127.0.0.1:9990. The connection timed out
[ERROR] -> [Help 1]
Please advise.
-----------------------------------------------------
Additional note:
I jumped a few hoops while navigating the documentation. Its possible the
issue is caused by my changes I've made. For reference, I've listed them
below
## wrong link on github in https://keycloak.gitbooks.io/
documentation/content/authorization_services/topics/
getting-started/hello-world/deploy.html
** easy fix, looks like the folder was renamed
- $ cd keycloak-quickstarts/app-authz-jee-vanilla
+ $ cd keycloak-quickstarts/app-profile-jee-vanilla
## wrong version on pom
There is no '3.1.0.CR1-SNAPSHOT' published in maven repo
See
-> https://github.com/keycloak/keycloak/blob/3.0.x/boms/adapter/pom.xml
-> https://mvnrepository.com/artifact/org.keycloak.bom/keycloak-adapter-bom
** resolved by changing pom.xml
- <version>3.1.0.CR1-SNAPSHOT</version>
+ <version>3.0.0.Final</version>
## cannot compile test
[ERROR] Failed to execute goal org.apache.maven.plugins:
maven-compiler-plugin:3.1:testCompile (default-testCompile) on project
keycloak-app-profile-jee-vanilla: Compilation failure: Compilation failure:
[ERROR] /Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-
vanilla/src/test/java/org/keycloak/quickstart/ArquillianProfileJeeVanillaTest.java:[41,25]
package org.keycloak.test does not exist
...
** resolved by removing app-profile-jee-vanilla/src/test/java/org/keycloak/
quickstart/ArquillianProfileJeeVanillaTest.java
7 years, 8 months
Password expiry via API
by Stefan Schlesinger
Hello folks,
is there a way to query Keycloak for when a user last changed its password, or at what date it will expire?
There is an open feature request, I wonder whether there exist any workarounds for it.
https://issues.jboss.org/browse/KEYCLOAK-3680
It would also be great to somehow find user accounts which have been inactive for a while.
Best,
Stefan.
7 years, 8 months
Tunning Keycloak server in PROD
by tecnologia@growingup.com.co
Hello community,
Do you know any recommendations to improve the performance of the Keycloak
server in production?
My case is that I use Keycloak's REST services a lot, they are used
frequently and with high concurrency. What do you recommend?
Usually JVM memory, connection pool and threads
Thanks
--
Cordialmente
Jairo Henao Rojas
7 years, 8 months
Updating a client secret
by Brian Watson
Hi all,
I've noticed that when a client is created via the API, the caller can
set the client secret. However, on a client update API call, the
client secret can not be updated. I am aware that there is an API for
resetting the a client secret, and another for obtaining the new
secret. However, I was wondering if the ability to update a client
secret on a client update API call could be readdressed. Here is my
use case:
My company is writing a tool that allows us to configure keycloak via
configuration. One of the main uses is to be able to update the data
for a client for a given microservice in our deployment pipeline. If
we could update the client secret via an update call, then all
configuration could be set before a deployment: the keycloak client
secret in the tool configuration, and the client secret configuration
in the microservice. During deployment, this would minimize downtime.
Additionally, the tool is simplified, as it doesn't need to know how
the microservice handles it's configuration.
However, if we rely on the reset secret functionality, we either have to:
- Use the UI to reset the secret, put the new secret in the
microservice configuration, then deploy. This will create a good
amount of downtime for the microservice -> keycloak communication.
- Update the tool we are creating to use the reset API, fetch the new
secret, then automatically update the microservice configuration. This
is problematic, as our system is a polyglot system, and the tool would
need some complicated logic and per-microservice customizations to
programmatically update the given microservice's configuration during
deployment.
Again, being able to update a secret with a predefined value would
greatly simplify the tool development and deployment process.
Thoughts?
7 years, 8 months
Re: [keycloak-user] Encrypt samlp:Response with Keycloak
by Hynek Mlnarik
[re-adding list]
On 04/19/2017 02:47 PM, Metehan Selvi wrote:
> Hi,
> in fact it is the second option:
> Keycloak as IdP for sales-post-enc SP ( both on the same wildfly/keycloak instance) with OpenAM as brokered idP :
>
> - I deployed sales-post-enc with mvn clean package wildfly:deploy option,
> - I entered the admin console and inside the saml-demo realm, I imported the OpenAm IDPSSODescriptor
> - On the tab Export (from Menu Identity Providers) I took the SPSSODescriptor - Section under the Download Button and imported keycloak as remote SP on the OpenAm - Login Site.
> What I found strange is that there is no KeyDescriptor for encryption, only for signing.
>
> ( Also there is no KeyDescriptor for enrycption in the SPSSODescriptor for Clients when Enrypt Assertions is enabled and there are EncrptionKey and SigningKey available)
Please file an issue in Keycloak JIRA.
> The 500 HTTP-Error occurs on OpenAM site when Encryption is enabled on the IDP and before the SAML Response is generated.
> If Encryption is disabled on OpenAM, the SAML Responses are generated correctly without Errors.
500 is not thrown in Keycloak and the SAML response [to be generated by OpenAM] does not get to Keycloak either. Hence I believe OpenAM support is the correct target audience. Please share further details (e.g. the exception) if you find out that the issue is specific to Keycloak communication with OpenAM.
Thanks
--Hynek
>
> Cheers
>
>
> On Wed, Apr 19, 2017 at 9:17 AM, Hynek Mlnarik <hmlnarik(a)redhat.com <mailto:hmlnarik@redhat.com>> wrote:
>
> On Tue, Apr 18, 2017 at 3:04 PM, Metehan Selvi <mselvi78(a)gmail.com <mailto:mselvi78@gmail.com>> wrote:
> > Hi there,
> > I configured OpenAM as IDP and Keycloak as SP together.
> > I use the sales-post-enc - example App.
>
> Do you mean using Keycloak adapters as SP and OpenAM as IdP, or OpenAM
> as brokered IdP while using Keycloak as IdP for sales-post-enc SP?
>
> > SAML-AuthnRequests and SAML-Repsonses are working.
> > ( Encryption disabled)
> >
> > When I enable Encrpytion in OpenAM and in the app, the SAML Repsonses
> > cannot be encrypted in OpenAM as it throws Exceptions with Http 500
> > Responses.
>
> Is it OpenAM or Keycloak returning HTTP 500 error? If Keycloak, can
> you share details of the exception?
>
> > How do I get out from the Problem ?
> >
> > When I want to export the SPSSODescriptor form Keycloak for the OpenAM IDP,
> > it contains only the KeyDescriptor for Signing. Normally it should be also
> > possible to export the KeyDescriptor for encryption. Is this maybe the
> > failure?
> >
> > Other ideas to get rid of the problem.. ?!
> >
> > Cheers
> > Metehan Selvi
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
> --
>
> --Hynek
>
>
7 years, 8 months
User Storage SPI for multiple db
by rohit chaudhary
Hi,
I am implementing Keycloak SSO for Django and .NET apps. I have a doubt on
how to go with the user database. All apps have separate db. How to
proceed? Need some suggestions and please refer some examples of custom
user storage SPI.
Thanks,
Rohit
7 years, 8 months
Re: [keycloak-user] help
by Ulrik Lejon
Hi!
Thanx :-)
I was trying to send the 'help' command but used the wrong recipient email
address.
// Ulrik
On Tue, 18 Apr 2017, 22:34 Josh Cain, <jcain(a)redhat.com> wrote:
> OK, all kidding aside give us some information on what you need help
> with and the community is pretty about helping out ;)
>
> Josh Cain
> Senior Software Applications Engineer, RHCSA
> Red Hat North America
> jcain(a)redhat.com M: +1 256-452-0150 <(256)%20452-0150> IRC: jcain
>
> On 04/18/2017 03:27 PM, Josh Cain wrote:
> > [image: Inline image 1]
> >
> > Josh Cain
> >
> > Senior Software Applications Engineer, RHCSA
> >
> > Red Hat USA <https://www.redhat.com>
> >
> > josh.cain(a)redhat.com M: 256-452-0150 <(256)%20452-0150>
> > <http://redhatemailsignature-marketing.itos.redhat.com/> IM: jcain
> > <https://red.ht/sig>
> >
> > On Tue, Apr 18, 2017 at 2:51 PM, Ulrik Lejon <ulrik.lejon(a)mollyware.se>
> > wrote:
> >
> >> --
> >> Ulrik Lejon
> >> Mollyware AB
> >>
> >> +46-700-137786
> >> ulrik.lejon(a)mollyware.se
> >> www.mollyware.se
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
>
>
7 years, 8 months
Encrypt samlp:Response with Keycloak
by Metehan Selvi
Hi there,
I configured OpenAM as IDP and Keycloak as SP together.
I use the sales-post-enc - example App.
SAML-AuthnRequests and SAML-Repsonses are working.
( Encryption disabled)
When I enable Encrpytion in OpenAM and in the app, the SAML Repsonses
cannot be encrypted in OpenAM as it throws Exceptions with Http 500
Responses.
How do I get out from the Problem ?
When I want to export the SPSSODescriptor form Keycloak for the OpenAM IDP,
it contains only the KeyDescriptor for Signing. Normally it should be also
possible to export the KeyDescriptor for encryption. Is this maybe the
failure?
Other ideas to get rid of the problem.. ?!
Cheers
Metehan Selvi
7 years, 8 months
Multi tenancy with realms
by Cesar Salazar
Hi. I'm looking to use keycloak for a SASS service, using realms for
multi-tenancy. There's a discussion on a previous thread about performance
issues when there are lots of realms:
http://lists.jboss.org/pipermail/keycloak-user/2016-October/008061.html
I wanted to ask if there is some work done in that direction. If not, where
can I start looking at so I can contribute?
Also, I was wondering what would be the implications of using a custom user
attribute to "emulate" multi-tenancy. (I would add a custom attribute, and
make my microservices validate against it). I know it's not the ideal way,
but would it be possible? Do you know of any considerations I should take
into account?
Thanks!
--
*Cesar Salazar*
CTO - DEVSU | www.devsu.com
7 years, 8 months
