Skip Broker First-Time Flow?
by Peter K. Boucher
We have a need to pre-provision user accounts that are to be accessed with
SAML from an outside IdP. These accounts are only ever to be used via SAML
from this external IdP (i.e., we never want them to have to use a password
to verify anything to Keycloak.
Is there any way for the account-linking the first time the user comes in
with SAML to happen automatically and silently?
We understand that in some circumstances it would be a security hole to
allow someone to connect via a brokered IdP to an existing account that has
already been used, but these accounts are being created specifically to be
accessed by this particular broker.
Any help?
Thanks!
Regards,
Peter K. Boucher
6 years, 7 months
Re: [keycloak-user] keycloak-user Digest, Vol 45, Issue 19
by Sud Ramasamy
Hi,
The KeycloakAuthenticationProcessingFilter.java which is part of the Keycloak Spring Security Adapter module does not let users of it to override the login url and is instead hard-coded to /sso/login.
Our use case is to setup two separate Spring Security FilterChains with their different SSO login URLs. We can subclass the KeycloakAuthenticationProcessingFilter.java class and add the ability to override the login URL.
But before embarking on this approach I’m perplexed as to why we would have the processing filter hardcoded to a particular URL without a way to override it.
Thanks for your insights.
-sud
6 years, 7 months
Way to add new pages in keycloak
by Krishna Kuntala
Hi,
I have a requirement of adding a new page in keycloak which will have few
links to client applications. For simplicity I will call it as dashboard
page.
How easy or difficult it is to add a new Page/path in keycloak? If yes, how
can we do it? Please point me to any link or implementation.
Thanks and Regards,
Krishna Kuntala
6 years, 7 months
Enabling High Availability for Keycloak 3.1.0 on AWS ECS Instance
by Jyoti Kumar Singh
Hi Team,
I am trying to enable high availability for Keycloak 3.1.0 on AWS ECS
instances.
I am running two ECS instances in a cluster setup and also I have
setup Keycloak
in a clustered mode. To achieve this, I am using "
*/standalone/configuration/standalone-ha.xml *" file while building the
docker image. Shared MySQL DB and Load Balancer setup are also in place.
But when I checked Keycloak logs I am not seeing clustered nodes related
information in logs. I am seeing nodes are not able to see each other. But
same settings are working fine in DCOS Marathon platform.
Interestingly if I run two Keycloak instances in one AWS ECS instance on
different ports, I could see clustering related logs in Keycloak.
Is there any standard guidelines which I can follow to achieve HA in AWS
ECS instance ?? I followed the below discussion thread but it didn't help
me to fix the issue.
#Link:
http://lists.jboss.org/pipermail/keycloak-user/2016-February/004940.html
--
*With Regards, Jyoti Kumar Singh*
6 years, 7 months
Secure automatically multiple deployments via Adapter Subsystem
by Marc Destefanis
Hi,
We would like to secure multiple deployments via Adapter Subsystem. Because the keycloak.json solution needs a re-build of our project each time we want to change the Keycloak server URL.
The problem is that we don't want to add a secure-deployment to our Wildfly domain.xml each time we add a WAR to our application.
Is there a solution ?
Like a wildcard on the secure-deployment name to be able to secure different deployments according to our WAR names ?
Example :
server-*.war
client-*.war
Thanks and have a good day,
Marc.
6 years, 7 months
Keycloak - Token access for external customer server
by Ka Lam Chan
Hi all
I am new to Keycloak SSO, and have been trying to setup a POC for a simple
microservice environment:
user -> public client 1 -> service 1
user -> public client 2 -> service 1
public client 1, 2 and service 1 are all Keycloak clients, service 1 is
bearer only. They are all spring boot with Keycloak-spring-boot-starter and
all user info, attributes and roles/auth comes from Keycloak and spring use
these roles/auth to perform @PreAuthorize and path access control.
Now I want to introduce a new path, public client 3, for non browser API
access by my customers:
customer server -> public client 3 -> service 1
My questions:
- Should customer server get token from Keycloak with client_credentials
grant, then access public client 3 with token? ie customer server is a
client on Keycloak.
- if no: Is Keycloak the right technology to use here, for granting token
of API access? what are the alternatives?
- if yes: I find Keycloak will create a temporary user, called
'service-account-public client 3' and email 'service-account-public client
3(a)placeholder.org'. This user is deleted after session expired. As I use
email address for spring jpa audit, is there a way to change these default
attributes?
Regards
KL
6 years, 7 months
Quickstart for SAML JEE JSP with EJBs?
by Jason Spittel
Hi All,
There doesn't seem to be a quickstart for JEE JSP with EJBs.
I made one, would that be useful to make a pull request for? It's basically just the app-profile-saml-jee-jsp one but with an EJB added with all the dependencies needed on the pom.xml.
Is this is something that the keycloak team would actually want?
Jason
6 years, 7 months
Externally triggered impersonation
by Thorsten
Hi there,
I have an application (Angular 4 UI + Spring Boot Backend) where I would
like to implement user impersonation without going through the Keycloak
console.
Ideally the power user with the proper impersonation permissions can click
a button in the app and then a new windows is being opened in the same
application but with the user to impersonate logged in.
Is there any example on how to do this or can somebody outline how this
would be possible?
Thanks,
Thorsten
6 years, 7 months
Adding an attribute "context" to org.keycloak.representations.idm.authorization.Permission
by Jean-François HEROUARD
Hi,
I'm quite new to keycloak and not sure if it is a keycloak-user or
keycloak-dev question, please route to the right place if somebody knows.
Is is about the authz part of Keycloak.
Our security policy includes a concept of "context" for a permission scope.
It is a String that should be evaluated by the resource owner application,
it can be a time restriction, or a rule applying on a business bean (eg
invoice.amount < 1000), or some other global situation (eg env.emergency ==
true). Current implementation uses a SpringEL expression to evaluate the
permission context. It allows to modelize quite complex security policies
using few rules. Somewhat in an ABAC way, but Keycloak is only responsible
to distribute user permission with allowed resource and scope, resource
owner is responsible to evaluate the context of the scope to allow the user
to do an action.
I have a Keycloak server plugin that adds a PolicyProviderFactory and
PolicyProvider, and stores the context for the scopes.
I have an extended keycloak-spring-security-adapter which can evaluate
SpringEL contexts when SpringSecurity evaluates permissions.
The problem is how the context string can be sent from my policy plugin to
the keycloak authz client ? Without modifying too much Keycloak code, the
Permission class is used many differents places, but currently i see no
other way. Any ideas ?
Thanks.
6 years, 7 months
