I am comparing OPA authorization to Keycloak - how could I enforce Keycloak policy in the SQL closest to the data for good performance, including returning subsets of lists? OPA discusses this at https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sq....
SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105
t: (816) 435-7286 | m (816) 509-0119
rmbyrd(a)dstsystems.com<mailto:firstname.lastname@example.org> | www.ssctech.com<http://www.ssctech.com/>
Follow us: [cid:image001.png@01D412C1.A14C5770] <https://www.linkedin.com/company/ss-c-technologies/> | [cid:image002.png@01D412C1.A14C5770] <https://twitter.com/ssctechnologies> | [cid:image003.png@01D412C1.A14C5770] <https://www.facebook.com/ssctechnologies/>
Please consider the environment before printing this email and any attachments.
This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.
We're thinking on using Keycloak as our main IDP and SSO solution. At this
time, we're using a "custom" IDP server based on Spring and we are
investigating if we can migrate our client database to Keycloak without
disturbing our users.
So, we have seen that, by default, Keycloak answers a token request with a
complete JWT token, like this one:
"scope": "profile email"
But, we'd like to send a "non-JWT" token, like this one:
"scope": "scope-1 scope-2 scope-n"
We're not very experienced in Keycloak and we do not know if this is even
possible, but any help will make us very happy.
Thanks in advance!
after redeployment of keycloak we mentioned that all existing session are gone. Is there any way to persist the session, so that the also exist after server restart or redeployment?
If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
This is a bit hard to explain.
I have created a IDP which uses CAS ( Central Authentication Service) as
Our KC instance is again used by a clients KC instance. They have chosen to
disable their persistent cookie handling, and thereby our by passing
"prompt=login" to the login request.
We are passing on the prompt=login by passing on renew=true to CAS.
We get a token back, and verify that. However; Since the user session is
not refreshed by the cookie handling, it seems like we are then timing out
Is there a problem with creating/refreshing the user session in the
authenticationFinished Method in the gist below?
i'd like keycloak to send a welcome mail after the user has successfully registered and verified his email. Currently I don't know how to do it. I found jira  feature request proposing a extension to support welcome email by configuration (I think). In the comments someone suggested to use SMTP provider and EventListener. The next comment has a Link  to a EventListener sample but I can not figure out what I have to do.
I think they suggested the follwing workflow:
1. registration finished
2. listener invokes - how to tell Listener to listen on the registration event (how is the event named)
3. SMTP provider sends a email
Hope someone is able to help me out.
Sorry if it's not the correct place to make this question (please guide me
to the correct place).
I'm facing some problems with CORS when using rh-sso 7.1.
I'm using the following environment:
- JBoss EAP 7.1 with Resteasy in the backend ->
- ReactJS in the frontend -> localhost:3000
- RH-SSO -> localhost:8180
The JBoss EAP is using the Wildfly/EAP Adapter from Red Hat, with the
configurations made on the standalone.xml file as a subsystem:
I Already enabled the Web Origins to " * " in the RH-SSO Admin console for
both of the clients I'm using.
The error I receive is the following:
Failed to load
Redirect from '
http://localhost:8080/accountmovement/api/accounts?_=1543522008489' to '
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is
present on the requested resource. Origin 'http://localhost:3000' is
therefore not allowed access.
Do you have any idea for what can I do?
If you need more information just let me know!
JOÃO PAULO RAMOS
BUSINESS FINANCE - DATA SCIENCE INTERN
Red Hat Brasil
jramos(a)redhat.com M: +55-11-96505-6159
I've just deployed a keycloak which is only reachable via a haproxy that enforces SSL.
Now i'm trying to log into the security-admin-console via https://myserver.com/auth/admin/ which is redirecting me to https://mysever.com/auth/realms/master/protocol/openid-connect/auth?clien...
But this request ends in status 400 with the response "Invalid parameter: redirect_uri"
On a test environment without SSL it's actually working fine with an absolute uri using http. But here i cannot use http. The haproxy prevents it completely.
I tried changing the redirect_uri param to a relative one (redirect_uri=%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F) but then keycloak responds with a non-SSL redirect to the base URL (http://myserver.com/auth/admin/master/console/)
which leaves my with an error in the browser because haproxy changes the call to https, but some content seems to be still embeded using http
Content Security Policy: The page’s settings blocked the loading of a resource at http://myserver.com/auth/realms/master/protocol/openid-connect/login-stat... (“frame-src”).
So it looks like i'm effectively locked out.
Based on my current situation i have three questions.
1. Why does keycloak respond with http redirects even though the issuing call (https://myserver.com/auth/realms/master/protocol/openid-connect/auth...) was using https and how can this be changed?
2. Given that the default redirect uri pattern for the security-admin-console is "/auth/admin/master/console/*", why is https://myserver.com/auth/admin/master/console not considered a valid redirect_uri but http://myserver.com/auth/admin/master/console is?
3. Does anybody know what to change now (via admin cli i guess) to get access to the UI?
Thanks for your help.
real,- Digital Services GmbH, Sitz: Duesseldorf
Amtsgericht Duesseldorf, HRB 75643
Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge
Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail.
I am resending this, since I needed to confirm my subscription to this mailing list first and I got the "not allowed" message when I sent it fort he first time.
Von: Manuel Waltschek
Gesendet: Donnerstag, 29. November 2018 18:27
An: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org>
Betreff: Using keycloak for SAML integration. confused by documentation. login loop
I'm sorry to bother you since this might have been asked quite a lot, but I am not able to configure my application as a SAML service provider to authenticate against an external IdP like https://samltest.id/saml/idp . I tried to use keycloak server as an identity broker but ran into different issues. I tried to follow instructions of this documentation: https://www.keycloak.org/docs/latest/securing_apps/index.html
If you want details on my configuration you can check out https://stackoverflow.com/questions/53487692/keycloak-saml-as-identity-br... but some aspects might have changed, since I tried an alternative.
Alternatively I tried to configure the Wildfly 10 system/application to use the external IdP directly, which kind of works. At least I am able to authenticate at the IdPs Website when I try to access a protected resource of my application, but when I get redirected to application-name/saml (which is my defined endpoint since it is described like this in the documentation. I do not understand how this should even work) I do not know how to access the assertion / the SAMLprincipal at this stage and if I register a ServletFilter in web.xml with an URL-pattern of /saml/* or /saml it won't trigger.
Also I do not know if this is even how it should work out, since I don't get how the keycloak server even fits into the equation, since it is not called or anything when SP communicates automatically with the external IdP. Also why does the KeycloakLoginModule never get called? What is it for? And how does the assertion actually get processed? I cannot find any reference on these topics.
I am getting really frustrated about this since the documentation is unclear (for me) about SAML and the use case I described and there are really no answers on public websites. I will be really happy if anyone could help me solve this issue. Do not hesitate to ask for more information/details.
Thank you in advance,
Unsere Website erstrahlt im neuen Glanz und ganz im Corporate und selbstverständlich Responsive Design.
Wenn Sie wissen wollen, wie wir Verkehrsmanagement digital unterstützen, wie Städte eine vielfältige Fahrradkultur etablieren können, wo automatisierte Kleinbusse uns in Zukunft hinbringen werden oder wie die Lebenszykluskosten von Straßeninfrastruktur evaluiert und optimiert werden, dann schauen Sie doch auf https://www.prisma-solutions.com vorbei!
Manuel Waltschek BSc.
+43 660 86655 47<tel:+436608665547>
PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
I am exploring on how to implement back channel logouts/ sso logout properly and have a question in this regard.
I have a set of applications (say App1, App2, App3) which are integreated with keycloak through servelet adapter (keycloak-servlet-adapters and keycloak-spring-boot2-adapters).. Each of this application for HA/scalablity resons sit behind their own reverse proxies..
So typically there will be multiple instance of each application App1-Node1, App1-Node2.. App1-Node'n' , like wise App2-Node1,App2-Node2,App2-Node'n'.. and so on for each of the Apps.
When a user u1,logs on to App1 and App2 an SSO session is establised in keycloak, and in the user sessions i see that user has connected to clients App1 and App2 ( app1 and app2 are clients in keycloak realm)..
When user logged on App1-Node1 took the request, and for App2, App2-Node2 took the request..
On the keycloak side, the admin urls are configured with the Reverse proxy url of the each Apps ( same as the valid rediect and base url).
When a SSO logout happens, how can i ensure that the keycloak server sends the SSO logout signal (k_logout) to the correct node? Will keycloak preserve the headers which came at the time of orignial login request and use them while sending admin requests as well ? ( so that the reverse proxy could dispatch the request to correct node, assuming that the application is configured to be sticky)..
Hi Max, if the documentation lacks of more information. Please, do not
hesitate to create a Jira mentioned which part is missing. That helps us
to improve the docs.
Indeed, the profile.properties file is the best place to put the
permanent configuration. For that, just create a file inside
$KEYCLOAK_SERVER/standalone/configuration called profile.properties,
with the following content:
I created the following Jira to track this:
On 2018-11-29, Max Allan wrote:
> As I start my keycloak with systemd, (following the wildfly setup
> instructions). Rather than logging in and running standalone.sh all the
> time, can you give more details about where to add this config to make it
> permanent and upgrade resistant?
> Would you recommend adding JAVA_OPTS to wildfly.conf?
> OR the documentation mentions a file called "profile.properties" without
> giving any idea where it can be found. That sounds ideal, if only it was
> clearer how to use it. Much cleaner than this -D on startup command line
> mess that was created.
> Also, I've added to KEYCLOAK-8872 that the other documentation needs fixing
> States that "scripts" is called "script" and that it is enabled by default.
> And the profile.properties file is mentioned without a location.