We are using SAML based clients for our applications but we also need a JWT
to pass to other systems so that they can also do their validation.
Do we have a straight forward way of getting a JWT Token for a SAML based
client from Keycloak.
I'm working on a multi tenant project where usernames are actually their email addresses and the domain of the email serves as a tenant identifier. Example: user(a)myTenant.com
Now in keycloak I'll have different realms per tenant, but I want to have a single login page for all tenants and the actual realm that will do the authentication to be somehow resolved by the tenant in the username.
Is there such behaviour available in keycloak? I tested with v3.4.3 and did not found, neither in the docs mention any info.
If this is not currently supported, what is the best approach for implementing it?
This the idea I comeup with:
To extend keycloak login/authentication to be in two steps: 1 user first enters username and clicks continue button 2 the custom logic in keycloak to extract the tenant(realm) from the username and initiate login request, now that I have the realm 3 realm login page is loaded with username populated (if I pass login_hint=username, the field should be populated) 4 user enters password and clicks login button
What you guys think of this approach?
I found a thread on the mailing list (that I cant find now...) that discussed the same problem. It was something along the lines of - create a main realm that will "proxy" to the others, but I'm not quite sure how to do that.
Hope to get some insight soon.
I'm currently working on a use case for which I need to use a realm as an
identity provider for others realms. Everything is working fine except that
the "realm_access" claim that I originally obtain from the parent realm
isn't propagated in the token I finally retrieve. Considering the schema in
the relevant section of the docs I guess the child realm forge it's own
token based on the one received from the parent realm.
Anyway, is there anyway to concatenate le realm_access claim ? So far, I've
tried to do it by defining identity provider mappers but without any
i was wondering if there is a way to trigger events. like if a user
logs in through facebook it could make a RPC to allow the system to
update their photo or something. or if a user requests a password reset
it could mail the admin user and say "xyz requested a password reset"
I want to use keycloak for user Authentication in my tomcat based web application.
But since the web application should also be accessible without any login, I think I will not be able to use the container-based security and handle the keycloak communication by myself from within my web application.
Are there any tutorials or recommandation around for my use case?
Which (keycloak-)jars do I need for this task?
Thanks in advance,
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
I've found out that the problem was in the audience validation of my API.
The access token I get from keycloak when I authenticate my confidential client has always
aud = confidential_client_id
How am I supposed to get a token with a difference audience value?
I tried specifying in the POST request to the token endpoint
resource = client_id_of_the_api
which works with ADFS 2016, but seems to be ignored by Keycloak.
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Paolo Tedesco
Sent: Friday, 23 March, 2018 11:11
Subject: [keycloak-user] Authenticating to a client with another client's service account
I have registered two clients in my Keycloak, one is an API (ID = client_api) and another is a confidential client (ID = confidential_client), which is a standalone application that should access the API with its own credentials.
I've set the access type of both API and application to "confidential".
>From the application, I obtain a token with a POST to https://keycloak-server/auth/realms/master/protocol/openid-connect/token with these parameters:
client_id = confidential_client
client_secret = <confidential client secret> grant_type = client_credentials
>From this, I obtain a token, that looks like this:
// other stuff
Then, I try to call my API with an authentication header with
Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
However, this does not seem to work, and the API acts like the user is not authenticated.
Any idea of what I'm doing wrong?
keycloak-user mailing list
In our currently running project, we are moving to Keycloak as SSO for a few sites with about 180000 active users, a large hierarchy of groups and peaks with thousands of calls per second. We are starting to get a feeling that Keycloak cannot handle such a large amount of data and traffic. Is there any documentation anywhere on server sizing and expected performance for large sites? Has anyone run peak tests and endurance tests on Keycloak and in that case, what was the outcome? Does anyone have experience in using Keycloak for sites of this size?
Managing Delivery Architect | Application Services
Capgemini Sweden | Göteborg
Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsvägen 131 Box 825 – S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
In Keycloak- User Federation, I already configured a LDAP with below
attributes. As an operation reason, we are developing a script to be able
operate user (import,resync etc.) with LDAP integration.
I found that AdminCLI documentation and on linux side we can perform some
operation via “kcadm.sh”. My question is, how can I update yellow
highlighted attributes (Users DN and Custom User LDAP Filter) for existing
If I can update Users DN and add “tuser” to Custom User LDAP Filter
attribute successfully via kcadm.sh. I will have a chance to do some user
operations anyway, like I mentioned above, I just need to update current
LDAP configuration. I couldn’t find in AdminCLI doc for updating operation.
If you know, please share me J
Console Display Name - ldap
Priority - 0
Import Users - On
Edit Mode - READ_ONLY
Sync Registrations - On
Vendor - On
Username LDAP attribute - uid
RDN LDAP attribute - uid
UUID LDAP attribute - uid
User Object Classes - inetOrgPerson, organizationalPerson
Connection URL - ldap://ldap:3333
Users DN - dc=entp,dc=abc
Authentication Type - single
Bind Credential – N/A
Custom User LDAP Filter - (uid=user)
Search Scope - Subtree
Use Truststore SPI - Only for ldaps
Connection Pooling - Off
Connection Timeout - <Blank>
Read Timeout - 600000
Pagination - Off
Allow Kerberos authentication - Off
Use Kerberos For Password Authentication - Off
Batch Size - 1000
Periodic Full Sync - Off
Periodic Changed Users Sync - Off
Cache Policy - DEFAULT
I have a question about keycloak. We have the following situation:
In our LDAP environment we have Groups and Role stored.
In the LDAP environment is a relationship between them via a attribute
The relationship is then a many to many relationship that is not supported
So I want to import the groups into groups an roles into roles so that
everything is inside keycloak.
But I also want the relationship between the GROUP and the ROL.
I have already import the groups and roles separately but I cannot map the
relationship between there. And by hand is not the ideal situation.
Does anyone have this issue.