AWS ELB
by Veit Guna
Hi.
My company plans to use KC for central authentication and authorization
for multiple microservice backends and frontends.
Since all our services are running on AWS, we're wondering whether it is
a problem to use the AWS ELBs and not the wildfly clustering.
So my question is, is it a requirement to use the wildfly clustering
capabilities to be able to get a working, scalable KC?
What might not work or even break if we just load balance against
isolated KC instances which maybe share the same storage/db?
Thanks!
6 years, 9 months
ADFS SAML Logout
by Adam Keily
Hi,
Can anyone shed any light on this. I have created a SAML IdP in keycloak for our ADFS server. Signin works fine, but when I try to logout, I get an internal server error 500.
In the log I just see the below error. If I remove the value for Single Logout Service URL I am signed out of Keycloak but not ADFS. It seems if I have any value in that field, I get the exception below. Even if I put in a dummy https://test.com it breaks.
I've tried recreating the IdP config. Tried different realms and keycloak instances. I'm currently testing using the Red Hat SSO 7.1. version.
Help appreciated.
Thanks
Adam
14:28:10,276 ERROR [io.undertow.request] (default task-27) UT005023: Exception handling request to /auth/realms/uofaidpproxy/protocol/openid-connect/logout: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: java.lang.NullPointerException
at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)
at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220)
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:246)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: java.lang.NullPointerException
at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:189)
at org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:266)
at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:135)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
... 37 more
Caused by: java.lang.NullPointerException
at java.net.URI$Parser.parse(URI.java:3042)
at java.net.URI.<init>(URI.java:588)
at java.net.URI.create(URI.java:850)
at org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:99)
at org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:88)
at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:187)
... 51 more
--
6 years, 9 months
Does it have OTP and TFA algorithms on keycloak?
by Celso Agra
Is there a way to perform an OTP and Two factor authetication on Keycloak?
I'm looking for a solution to implement a Two factor authetication and On
time Password to do critical operations in my app. So, I'd like to know if
Keycloak has an specific flow for that.
If not, I'd like to know if would be possible to integrate users from
keycloak into LinOTP application.
Best Regards,
--
---
*Celso Agra*
6 years, 9 months
Brute Force Detection issue: wrong password attempt counter not reset with successful login
by Zhao, Edwin (NSB - CN/Beijing)
Hi Keycloak team,
This is Edwin from Nokia A&A organization. We want a change on brute force detection, to reset the password failure counter after a successful login
I saw 2 related tickets had once been created for this before
https://issues.jboss.org/browse/KEYCLOAK-2692
https://issues.jboss.org/browse/KEYCLOAK-3046
We understand the potential risk, but many of our products still want this change to enhance user experiences.
So we are once again raising this request, please help to provide the enhancement.
Please let me know if I need to create a JIRA ticket
Thanks,
Edwin
----------------------------------------------
Reproduce:
Enable Brute Force Detection on the realm
Set Max Login Failures to 3 (or any other number) on a user
Attempt to log in to Keycloak with the user try invalid password 2 times
Attempt to log in to Keycloak with the user with correct password (should succeed)
Log out
Attempt to log in to Keycloak with the user try invalid password 1 times
Attempt to log in to Keycloak with the user with correct password (should succeed, but fails)
Verify by loggin in with Administrator to Keycloak and check the user status (will be locked out).
6 years, 9 months
Missing client_id query param on social broker link
by Miloud Belarbi
Hello,
I'm having trouble successfully connecting an identity provider (google)
with keycloak to supply login to saml clients of keycloak.
I have created a realm '*universe'* and created two clients in that realm.
One with saml as the client protocol called *'samlclient'* and the other
with openid-connect as the client protocol called *'openclient'*. I am able
to login to both the client using a user created on the *universe* realm.
no problem so far.
I now add a google social identity provider following the guide here:
http://www.keycloak.org/docs/2.5/server_admin/topics/identity-broker/soci...
I am able to login to *openclient* using both keycloak login and google
login.
I am able to still login to *samlclient* using keycloak login, but NOT
using google social login
I've attached an image to demonstrate what i mean.
*on the openclient:*
The red google button has the following
link: {root}/auth/realms/universe/broker/google/login?*client_id=openclient*
&code=xyz
*on the samclient:*
The red google button has the following link:
{root}/auth/realms/universe/broker/google/login?code=yxz
The difference between the two is that keycloak doesn't put the client_id
query param to call the broker for *samlclient* but does so for the
*openclient*.
I did inspect on my chrome browser and modified the link and added the
query param *&client_id=samlclient *and it worked fine. Can someone help me
identify why my saml client doesn't inject that query param in the broker
url link?
How can i fix this?
Kind regards.
Miloud
--
-------------------------------------------------------
essenceglobal.com <https://www.essenceglobal.com>
Facebook <http://www.facebook.com/essenceglobal> • Twitter
<http://www.twitter.com/essenceglobal> • YouTube
<http://www.youtube.com/essenceglobal> • Instagram
<http://www.instagram.com/essence_global>
6 years, 9 months
Missing artifact in JBoss Public Nexus repository.
by Jeremy Whiting
Hi,
I cloned the project and attempted to run the Maven resolve goal
$ mvn dependency:resolve
The goal fails. Looks like this artifact is missing in Nexus.
org.keycloak.example.demo:product-portal-example:war:2.4.0.Final
I am thinking this was missed during the release to the
jboss-public-repository-group. Shall I raise a JIRA ?
........
[INFO] EAR example ........................................ FAILURE [ 0.022 s]
[INFO] Admin Access Example ............................... SKIPPED
[INFO] Angular Product Portal JS .......................... SKIPPED
[INFO] Angular2 Product Portal JS ......................... SKIPPED
[INFO] JAX-RS Database Service Using OAuth Bearer Tokens .. SKIPPED
[INFO] Simple OAuth Client ................................ SKIPPED
[INFO] Simple OAuth Client Using CDI and JSF .............. SKIPPED
[INFO] Service Account Example App ........................ SKIPPED
[INFO] Offline Access Portal .............................. SKIPPED
[INFO] Provider Examples .................................. SKIPPED
[INFO] Event Listener System.out Example .................. SKIPPED
[INFO] Event Store In-Mem Example ......................... SKIPPED
[INFO] Properties Authentication Provider Example ......... SKIPPED
[INFO] Authenticator Example .............................. SKIPPED
[INFO] Authenticator Example .............................. SKIPPED
[INFO] Domain Extension Example ........................... SKIPPED
[INFO] User Storage JPA Provider Exapmle .................. SKIPPED
[INFO] JS Console ......................................... SKIPPED
[INFO] Keycloak Examples - Multi Tenant ................... SKIPPED
[INFO] Keycloak Examples - Basic Auth ..................... SKIPPED
[INFO] Fuse examples ...................................... SKIPPED
[INFO] Customer Portal - Secured in Karaf/Fuse ............ SKIPPED
[INFO] CXF JAXWS Example - Secured in Karaf/Fuse .......... SKIPPED
[INFO] Product Portal - Secured in Karaf/Fuse ............. SKIPPED
[INFO] CXF JAXRS Example - Secured in Karaf/Fuse .......... SKIPPED
[INFO] Camel endpoint example - Secured in Karaf/Fuse ..... SKIPPED
[INFO] Keycloak Fuse Example - Features ................... SKIPPED
[INFO] Keycloak Examples - External Config ................ SKIPPED
[INFO] Keycloak Examples - Kerberos Credential Delegation . SKIPPED
[INFO] Themes Examples .................................... SKIPPED
[INFO] Provider Examples .................................. SKIPPED
[INFO] Keycloak SAML Adapter Example POST Binding and Signatures SKIPPED
[INFO] Keycloak SAML Adapter Example POST Binding and Assertion
Encryption SKIPPED
[INFO] Keycloak SAML Adapter Example Redirect Binding with Signatures SKIPPED
[INFO] Keycloak SAML Adapter as a Servlet Filter .......... SKIPPED
[INFO] LDAP Demo Application .............................. SKIPPED
[INFO] Keycloak Authz: Examples Parent .................... SKIPPED
[INFO] Keycloak Authz: PhotoZ Example Application Parent . SKIPPED
[INFO] Keycloak Authz: Photoz RESTful API ................. SKIPPED
[INFO] Keycloak Authz: Photoz HTML5 Client ................ SKIPPED
[INFO] Keycloak Authz: Examples - Photoz Authz Rule-based Policy SKIPPED
[INFO] Keycloak Authz: Examples - Servlet Authorization ... SKIPPED
[INFO] Keycloak Authz: Hello World Example ................ SKIPPED
[INFO] Keycloak Authz: Hello World Example ................ SKIPPED
[INFO] Keycloak TestSuite ................................. SKIPPED
[INFO] Keycloak Arquillian Integration TestSuite .......... SKIPPED
[INFO] Servers ............................................ SKIPPED
[INFO] Auth Server ........................................ SKIPPED
[INFO] Auth Server Services ............................... SKIPPED
[INFO] Auth Server Services - Testsuite Providers ......... SKIPPED
[INFO] Keycloak Integration TestSuite ..................... SKIPPED
[INFO] Keycloak Security Proxy TestSuite .................. SKIPPED
[INFO] Keycloak Tomcat 6 Integration TestSuite ............ SKIPPED
[INFO] Keycloak Tomcat 7 Integration TestSuite ............ SKIPPED
[INFO] Keycloak Tomcat 8 Integration TestSuite ............ SKIPPED
[INFO] Keycloak Jetty 8.1.x Integration TestSuite ......... SKIPPED
[INFO] Keycloak Jetty 9.1.x Integration TestSuite ......... SKIPPED
[INFO] Keycloak Jetty 9.2.x Integration TestSuite ......... SKIPPED
[INFO] Keycloak Jetty 9.3.x Integration TestSuite ......... SKIPPED
[INFO] Keycloak SAML Jetty Testsuite Integration .......... SKIPPED
[INFO] Test apps .......................................... SKIPPED
[INFO] JS Console ......................................... SKIPPED
[INFO] Test apps distribution ............................. SKIPPED
[INFO] JAX-RS Database Service Using OAuth Bearer Tokens .. SKIPPED
[INFO] Keycloak Authz: PhotoZ Test Parent ................ SKIPPED
[INFO] Keycloak Authz Test: Photoz RESTful API ............ SKIPPED
[INFO] Keycloak Authz Tests: Photoz HTML5 Client .......... SKIPPED
[INFO] Keycloak Authz Tests: Photoz Authz Rule-based Policy SKIPPED
[INFO] Keycloak Authz Tests: Hello World Example .......... SKIPPED
[INFO] Keycloak Authz: Servlet Authorization Test ......... SKIPPED
[INFO] integration-arquillian-test-apps-servlets .......... SKIPPED
[INFO] Test utils ......................................... SKIPPED
[INFO] Auth Server - JBoss ................................ SKIPPED
[INFO] Auth Server - Undertow ............................. SKIPPED
[INFO] App Server ......................................... SKIPPED
[INFO] App Server - JBoss ................................. SKIPPED
[INFO] App Server - Karaf ................................. SKIPPED
[INFO] App Server - Tomcat ................................ SKIPPED
[INFO] Tests .............................................. SKIPPED
[INFO] Base TestSuite ..................................... SKIPPED
[INFO] Other Tests Modules ................................ SKIPPED
[INFO] Adapter Tests ...................................... SKIPPED
[INFO] Adapter Tests - JBoss .............................. SKIPPED
[INFO] Adapter Tests - Karaf .............................. SKIPPED
[INFO] Adapter Tests - Tomcat ............................. SKIPPED
[INFO] SSSD tests ......................................... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 12.801 s
[INFO] Finished at: 2017-08-04T17:08:52+01:00
[INFO] Final Memory: 290M/1130M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project customer-portal-example-ear:
Could not resolve dependencies for project
org.keycloak.example.demo:customer-portal-example-ear:ear:2.4.0.Final:
Failure to find
org.keycloak.example.demo:product-portal-example:war:2.4.0.Final in
http://repository.jboss.org/nexus/content/groups/public/ was cached in
the local repository, resolution will not be reattempted until the
update interval of jboss-public-repository-group has elapsed or
updates are forced -> [Help 1]
[ERROR]
Jeremy
--
Jeremy Whiting
Senior Software Engineer, Middleware Performance Team
Red Hat
------------------------------------------------------------
Registered Address: Red Hat UK Ltd, Peninsular House, 30 Monument
Street, London. United Kingdom.
Registered in England and Wales under Company Registration No.
03798903. Directors: Directors:Michael Cunningham (US), Michael
O'Neill(Ireland), Eric Shander (US)
6 years, 9 months
Keycloak and zuul
by Ryan Dawson
Hi,
Does anyone have example configuration for using keycloak together with Zuul as the reverse proxy and the services behind the proxy getting the authenticated user from the request? I’m currently trying to configure keycloak authentication on the proxy and pass the token through to the services.
Ryan
6 years, 9 months
Authorization services without User Access token (Mqtt Broker / IoT)
by Brahim Ait elhaj
Hi everyone,
Lately i was playing with Keycloak (KC), evaluating it for an IoT project
and i have a question regarding the authorization services.
One of my use case is : devices that connect to an MQTT Broker using X.509
client authentication.
Note : when i talk about device, you must understand KC user (device =
user).
For several reasons/constraints that i won't explain here, i can't have my
devices connect first to Keycloak to obtain a token (using their X.509
certificates as KC supports it) and then connect to the MQTT Broker passing
this token. They connect directly to the MQTT Broker, each device
presenting its X.509 certificate to the Broker. After connection, the
Broker doesn't know client private key.
My need is to have my MQTT Broker (ideally through KC) authorize/reject
MQTT client to publish/subscribe to specific topic.
MQTT Topic being some kind of uri/path, i already have an idea of how to
configure KC (client, resource, policy, permission ...) to authorize/reject
these access.
However, as i understand it, the starting point for all the « authorization
services » (Authorization API, Entitlement API ... ) is a « user Access
Token ».
In my case, i don't have a user access token ... so i'm kind of stuck to
use any of the K.C API (unless i missed something).
Hence, My question is how can i make my MQTT Broker (.ie : resource server)
interact with KC to enforce/evaluate policy ? Is it possible without the
user access token ?
Hope i made myself clear and thanks in advance for any help ...
Best regards,
Brahim
6 years, 9 months
Re: [keycloak-user] [keycloak-dev] Keycloak and HAProxy
by Thomas Darimont
Hello Shankar,
a while ago I built a demo-system with Keycloak running behind a ha-proxy
with docker.
Maybe this helps you a bit.
https://github.com/jugsaar/visit-yajug-20161023-keycloak/tree/master/idm-...
Cheers,
Thomas
2017-08-04 7:09 GMT+02:00 Shankar_Bhaskaran <Shankar_Bhaskaran(a)infosys.com>:
> Hi ,
>
> We have configured HAProxy as our load balancer and keycloak (3.0) as our
> SSO. We have configured the keycloak domain and secured our wars with
> keycloak for our web application.
>
> In Haproxy we have provided the "forwardfor" option which introduces the
> header parameter -"X-Forwarded-For" and configured keycloak as given below
> to accept the header parameter as given below.
>
> "<http-listener name="default" socket-binding="http"
> redirect-socket="https" proxy-address-forwarding="true"/>"
>
> But still the redirect from keycloak is going to HAProxy machine and not
> to backend servers with our webapp.
>
> Is there any help you can provide here
>
> Regards,
> Shankar
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
6 years, 9 months
Re: [keycloak-user] Identity broker login SAMLResponse handling
by Phillip Fleischer
Maybe we just have our client setup wrong and it’s possible to configure it to redirect to the “management url”??
We tried that for a while but it seemed that the client expected to only want to redirect or post another SAML Response to another endpoint.
> On Jul 31, 2017, at 5:53 AM, Phillip Fleischer <pcfleischer(a)outlook.com> wrote:
>
> No problem,
>
> Our application is angular js using keycloak oidc adapter with spring boot back end. The native behavior to use keyclaok OIDC directly.
>
> The Third Party (Non-kc-server) is the external SAML IdP which we wish to trust to authenticate in via SAMLResponse registering/linking and authenticating into the application. We expect we may have many of these so we’re attempting to use KC for ease of use instead of rolling our own.
>
> 1) Not-KC -> POST SAMLResponse to kc to authenticate.
> 2) KC -> Idp broker - handle this saml response.
> 3) KC -> SAML client - Idp Initiated
> (cannot use broker directly - it appears to require that KC initated SAMLRequest with “code” to be sent in response??)
> 4) KC -> SAML client - result in POST SAMLResponse to the ACS url.
> (SAMLResponse still does not have a code that could be handled directly by broker directly??)
>
> Up to #3 seems to work, but I think we’d expect that #4 saml client would redirect us to our client (thru relaystate), but it results with a SAMLResponse POST to the ACS url in the client configuration. This is basically back where we started… so hence the logical infinite loop (if we add more brokers and clients we just keep getting more and more saml responses without codes).
>
> Hope that helps explain,
>
> — Phil
>
>> On Jul 31, 2017, at 2:00 AM, Hynek Mlnarik <hmlnarik(a)redhat.com> wrote:
>>
>> I don't understand the scenario either. What exactly is the scenario?
>> The loop is between which parties? How does "another broker" fit into
>> the picture, is it even Keycloak? Why does your OIDC client not use
>> Keycloak OIDC capabilities directly? Is it necessary to relay the SAML
>> response to the client and process it there?
>>
>> Can you rephrase it with explicitly labeling the parties (kc server,
>> non-kc-server (?), client, brokered idp, ...) when you mention them?
>>
>> On Sun, Jul 30, 2017 at 2:12 PM, Phillip Fleischer
>> <pcfleischer(a)outlook.com> wrote:
>>> Yeah, I presume it’s a logical understanding error but to elaborate…
>>>
>>> We’re attempting to relay the succesful login response and client session to an OIDC client using the js adapter.
>>>
>>> - Idp Initiated broker seems to be succesful and gets to post login actions
>>> - Idp Initiated client POST another SAMLResponse to ACS POST Binding URL
>>> - This response is signed by KC, if we set up another broker we’ll endlessly be sending SAMLResponses.
>>>
>>> We were thinking we might just be relayed to our client after session and the app would check the session and kick of the OIDC flow. Maybe we need to implement saml adapter in our application to handle the final response?
>>>
>>> — Phil
>>>
>>>> On Jul 29, 2017, at 10:06 AM, Bill Burke <bburke(a)redhat.com> wrote:
>>>>
>>>> I don't understand what the error is. Your external IDP sends a login
>>>> response to
>>>>
>>>> https://{root}/auth/realms/{realm}/broker/external-idp-name/endpoint/clients/saml-idp-initiated
>>>>
>>>> And there is an infinite loop?
>>>>
>>>> On 7/29/17 5:03 AM, Phillip Fleischer wrote:
>>>>> Hi,
>>>>>
>>>>> We’re using keycloak for several authorization use cases already and are attempting to prototype some identity brokering with an external IdP application.
>>>>>
>>>>> Our current configuration the user is logged in the external IdP which sends a POST with the SAMLResponse directly to our broker. It looks the appropriate solution is idp initiated configuration in the examples.
>>>>>
>>>>> broker: external-idp-name
>>>>> client and url name: saml-idp-initiated
>>>>>
>>>>> https://{root}/auth/realms/{realm}/broker/external-idp-name/endpoint/clients/saml-idp-initiated
>>>>>
>>>>>
>>>>> The challenge is that our client the posts yet another SAMLResponse either back to our broker or to the realm saml service.
>>>>>
>>>>> These result in following results...
>>>>>
>>>>> 1 - {realmUrl}/broker/external-idp-name/endpoint/clients/saml-idp-initiated
>>>>> |—- infinite redirect loop POST SAMLResponses
>>>>> 2 - {realmUrl}/broker/{broker}/endpoint
>>>>> |—- handleSamlResponse fails to validate “code” set to “relayState”.
>>>>> 3 - {realmUrl}/protocol/saml
>>>>> |—- handles SAMLResponses as logout and fails.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> It feels like we’re either totally missing the mark or this is a use case totally
>>>>> not supported that we’re attempting to kluge together. Anyone have thoughts where we’re going conceptually wrong??
>>>>>
>>>>>
>>>>> — Phil
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> --
>>
>> --Hynek
>
6 years, 9 months
