Keycloak SAML tomcat adapter and correct log-out
by Leonid Rozenblyum
Hello!
I'm using a keycloak tomcat SAML adapter and I have a question related to
?GLO=true way of logging-out (since Tomcat doesn't implement full JavaEE
stack, request.logout() is not the way to go, right?).
When I use GLO=true, my session inside the Keycloak is indeed invalidated
however the local session in Tomcat is not.
When I try session.invalidate() and then redirect to GLO=true, sometimes my
protected page still can be loaded.
Is there a robust documented way to do the logout with help of Keycloak
SAML tomcat adapter?
Thanks
5 years, 6 months
Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names
by Niels Bertram
Hi there,
we have a requirement to set the jndi datasource name on a UserFederation
provider when added to a realm to support connecting different realms in
the same Keycloak server to different databases. Been through the examples
and read a few emails from around 2016 in the developer list but do not
find anyone who'd actually done this before. we could create a user managed
EntityManagerFactory within the federation provider factory but the
question is then how can we inject it into the container context and enlist
our transactions in the JTA?
Has anyone ever had to implement something like that?
Cheers,
NIels
5 years, 7 months
Group-Mapping
by Lahari Guntha
Hi All,
We are using keycloak of version 3.3.0.CR2.
I have my Keycloak integrated with LDAP.
I have configured many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP.
eg:
Users in LDAP: "user1"
Groups in LDAP: "group1","group2"
When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in the Keycloak UI page and we can also see the groups mapped to it.
Now I add the user "user1" into another group "group2"...
But now the newly added group is not reflected when click on User> Group Mapping.
Why Is this happening??
What is the solution to continuously sync the users with the groups they are present in/added newly automatically????
Thanks,
Lahari
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
5 years, 7 months
IdP selection based on email address
by Yann Jouanin
Hello,
We are using keycloak with multiple IdP from our customers. Because we don't want to offer a list of Idp (customer A can't use the idp of customer B), I would like to prompt the user for the email address first and decide then to redirect to a specific IdP based on the domain as an example.
Does somebody here can advise me on the greatest way to implement this behavior?
My first thought was to use a custom flow with a script, but I can't find how to specify the idp to use using script.
Best regards,
Yann Jouanin
5 years, 7 months
Browser not maintaining session for keycloak users
by Test Oauth
I am using openid-connect for authenticating users. After successful
authentication, browser windows says:
"Login Successful
You may close this browser window and go back to your console application."
However, even without closing the window if I relaunch my application
(using keycloak.loginDesktop();) even within 10 seconds, still the login
page appears instead of : you are already logged in.
Browser: Firefox.
5 years, 8 months
Keycloak Proxy Rename
by Bruno Oliveira
Good afternoon,
We are considering to transfer or fork the keycloak-proxy[1] to Keycloak
organization. In order to accomplish that, I've been working with Rohith
updating some of its dependencies[2].
While discussing with our team, we reached the conclusion that call it a
proxy could potentially increase the scope of the project and also give
people the wrong idea. Because would be expected things like load balancing,
rate limiting, and other features. That's not what we want right now.
I would like to gather some feedback from the community before we move forward.
So please vote on the following Doodle:
https://doodle.com/poll/gux626ktscgpr96t
Also, feel free to suggest other names and it will be included.
[1] - https://github.com/gambol99/keycloak-proxy
[2] - https://issues.jboss.org/browse/KEYCLOAK-7265
--
abstractj
5 years, 8 months
Is keycloak the tool I'm looking for? selective AD user sync
by jlord87@gmail.com
Hello guys,
I'm really new to keycloak and I need your help to understand if this
is what I'm really looking for;
I am the IT administrator in a non-profit environment, managing servers
and services for several non-profit organization.
What I'm trying to achive is the centralization of the authentication
and authorization process: every user should just have one password and
one "username".
The difficult part is that the environment I work in is really "fluid":
there are a lot of person working or volunteering in one or more
different organization. Every organization has its own active directory
server (to manage desktop authentication and some CIFS share), its own
gsuite (for emails) and at the same time, there are services shared by
all (or some) of these organization (like a redmine ticketing system,
nextcloud file server and so on).
What I'm dreaming of is to manage everything from a single software (I
tried gluu but it had some annual fees we cannot afford to pay): I
would like to create an user (something like name.surname) and add to
this user "permissions", something like "user1 should be able to access
gsuite 1, gsuite2, nextcloud and active directory 1".
I've uploaded a scheme in this pdf:
https://mega.nz/#!z4InTCaa!ngyWks8yoN7rrW-NR6RXnPJ32tCKSz0snWB1c7lFEbg
Do you think keycloak is capable of this? I played around a bit, read a
lot of documentation and what I wasn't able to achive was a selective
active directory user sync...
Maybe my error was trying to do everything in the same realm, what do
you think about it?
Thank you for any hint
Francesco
5 years, 8 months
FW: Access control and client setup
by Wyns Dean
Hi
I'm evaluating Keycloak as our IAM and SSO and it seems very powerful, but I can't seem to wrap my head around some things.
We want to separate our APIs from the IAM. The sole purpose of Keycloak is to provide an identity and access token, primarily using the implicit flow. The client-side application (usually SPAs) uses the access token in all API calls and the resource server checks the signature of the access token but does not access Keycloak at all.
Each backend has a few operations, and each operation gets its own "permission". For example one API can manage "items", so there are four permissions:
- create:item
- read:item
- update:item
- delete:item
Is it best practice with Keycloak to model these permissions as scopes? And then use roles/permissions/policies to limit the scope of the user? The backend can then just decode the access token and read the granted scopes.
Also, in a SPA + API set-up, do I create two clients in Keycloak, one for each? This is only useful when the API needs resource protection, right? I guess in my case I only need one client for the SPA because the API only needs the scope from the access token by decoding it.
Thanks for any feedback
Kind regards
Dean
5 years, 8 months
Keycloak Java Servlet Filter Adapter.
by Luis Rodríguez Fernández
Hello there,
I am using the java servlet filter adapter (
http://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet...)
in apache-tomcat 9 and it works like a charm, thanks! The filter class
is org.keycloak.adapters.saml.servlet.SamlFilter
I would like to fully externalize the keycloak configuration from the
deployed applications. I know that I can set the keycloack config file via
the filter config param keycloak.config.file, to some external path like
/usr/local/my-keycloak-saml.xml, brilliant!
In the other hand the SamlFilter(
https://github.com/keycloak/keycloak/blob/master/adapters/saml/servlet-fi...)
looks for the keystores inside of the application context: usually
something like /WEB-INF/my-keystore.jks. This is due the implementation of
the ResourceLoader.getResourceAsStream(String resource) function. It looks
like something like this:
ResourceLoader loader = new ResourceLoader() {
@Override
public InputStream getResourceAsStream(String resource) {
return filterConfig.getServletContext().getResourceAsStream(resource);
}
};
In ServletContext.getResourceAsStream(java.lang.String path) the path param
must begin with a "/" and it is interpreted as relative to the current
context root. I would be in favor of having the possibility of externalize
this resource, perhaps having somethig like:
//First try the original one
InputStream is =
filterConfig.getServletContext().getResourceAsStream(resource);
if(is=null) {
// Try with an external one
try {
is = new FileInputStream(resource);
} catch (FileNotFoundException e) {
throw new RuntimeException(e);
}
}
Any thoughts on this?
Thanks in advance,
Luis
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
5 years, 8 months
