Re: [keycloak-user] Restreint access to a client with role
by Emeline CHEVALIER
Hi,
I have realm with many clients. I want to restraint access to one client for users that not have a role.
Example :
MyRealm with Client A access to a server A and Client B to access to a server B (SAML configuration).
I have many users but I want that only users with role "AccessB" must to access to my server B.
How to do that ?
I try to create roles, policies... but I'm lost into these configurations.
Keycloak version : 3.4
Regards
Emeline
6 years
Passing session information
by Rens Verhage
Hi,
I’m using GitHub as an identity provider. For all users that login through GitHub, I’d like to hardcode a session attribute which will be passed through to my application.
In the identity provider settings, I have the option to add a ‘hard coded session attribute’ mapper. In the client settings, I can add a ‘user session note’ mapper. I configured both these mappers on identity provider and client using the same name for the attribute and note. This however doesn’t work and it shouldn’t, as from what I understand, session attributes != session notes.
Now I’m stuck, the identity provider only supports mapping session attributes, the client only supports mapping session notes. How can I pass information in the session from provider to client?
Rens
6 years
Kerberos auth
by Simon Lelardoux
Hi everybody !
I am implementing kerberos authentication for my keycloak users but a problem is blocking me. When I get the page "401 unauthorized", a warning appears "JavaScript is disabled. We strongly recommend to enable it. You were unable to login via Kerberos. Click the button below to login via an alternative method" and I'm redirected automatically.
Do you know what it is?
Cordially
6 years
Is there an Event I can trap in KeyCloak when an account status is changed?(ie: temporary locks)
by Eric B
Hi,
I'm using KeyCloak 3.4.3.FINAL and looking to see if there is any way I can
capture when an account is temporarily locked/unlocked. I was hoping to
write an EventListener that would trigger based on an event type, but I
can't seem to find anything that fires when then account is locked or
unlocked.
Is there such an Event in Keycloak? If not, is there a way I can add my own
custom events? I'd be okay with trapping an AccountModified event and work
with that, but the only event I see fired is the LOGIN_ERROR which doesn't
tell me if the account is being temporarily disabled. Furthermore, I can't
see any events being fired when the account is re-enabled.
Thanks,
Eric
6 years
Set up fine grained permissions
by Hammarberg, Daniel
Hi all,
I am trying to set up fine grained permissions, following the instructions at http://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_p...
I don’t manage to set permissions for a user to view one client. Could anyone help me to find what’s missing?
My settings:
In the Users menu:
User cm_g123456 is a member of the group “Content Managers”.
The group Content Managers is mapped to the realm role “Content Manager” and the client roles realm-management -> query-clients and view-users
If I open the user cm_g123456 and check the Effective Roles under Role Mappings, I can see that Content Manager is active.
The user cm_g123456 also has the client role realm-management -> query-clients
In the Clients menu:
I open my client, “foo.com”.
Permissions are enabled. I have the following permission:
Name: manage.permission.client.manageSkfCom
Scopes: manage
Apply Policy: content-managers
Decision Strategy: Unanimous
I have the following policy:
Name: content-managers
Realm Roles:
Name: Content Manager
Required: checked
Logic: Positive
When I log in to the admin console as the user cm_g123456, I cannot see any clients. Also, when opening a user I cannot see any client roles in the Available Roles list under Role Mappings.
Best regards
/Daniel
_______________________________________________________________________
[Email_CBE.gif]Daniel Hammarberg
Managing Delivery Architect | Application Services
Capgemini Sweden | Göteborg
________________________________
Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsvägen 131 Box 825 – S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
6 years
SpringBoot 2 Support and best practices
by Kamil Kitowski
Hello everyone!
I'm completly new around here and I'm sorry if I did anything wrong.
Is there any information about possible SpringBoot 2 support via adapters?
It's been over a month since its release and Keycloak released 4.0.0.Beta1
which should contain merged changes from several pull requests about
spring-boot 2 support however there is no keycloak-spring-boot-2-starter
(or adapter) artifact available on public maven repos. Am I missing
something (like additional repository) or there are some issues with said
adapter?
It works quite fine running on my local build, but I don't want to add
*.jar to my git repo.
Also minor question about best practices. Is it bad that I combine
keycloak-spring-boot-2-adapter and keycloak-spring-security-adapter? I like
defining Keycloak connection configuration via spring properties, but I'd
rather configure security using spring-security-like configuration.
Best regards.
--
Kitowski Kamil
6 years
Mapping identity provider ID (sub) to user attribute
by Eivind Larsen
Hi.
I have setup a realm using another keycloak as OIDC identity provider.
So we have a setup:
client —> keycloak A <—> keycloak B
Where we control A but not B.
Since we have a custom integration with this provider from before, I
need to get the id of the provided identity (B.sub) into the access
token produced by A to remain backward compatible with our data.
To accomplish this, I followed the outline from:
https://lists.jboss.org/pipermail/keycloak-user/2017-October/012132.html
where a mapper (“Attribute importer”) is added to the identity
provider, which should import claim ‘sub’ as a user attribute.
We would then import claim ‘sub' into user attribute ‘sub', then for
the client, map user attribute ’sub' to claim ‘provider_id' in access
token.
However, no value is imported from the identity no matter which claims
or attribute I map to/from.
Only the hardcoded values seem to show up when I list the attributes
of the user in the admin console.
Can anyone confirm if this should work, and what I should try next?
I have tried importing claim sub from provided identity into many
different custom user attributes to no avail.
6 years
