user storage ldap or keycloak
by Istvan Orban
Dear Keycloak users.
I am very new to keycloak and I really like it. it is great.
I am currently migrating a legacy app ( using it's own user management ) to
support SSO.
I have set-up keycloak with openid connect and it works very well. At this
point we need to decide
if we will use keycloak as our main user store or we will set-up an LDAP.
My question is that. Is keycloak designed in a way that it can fullfil all
the responsibilities of the main user store?
Any risk with this at all?
ps: our userbase is small and at this point I am not sure if we want to add
ldap just for this.
--
Kind Regards,
*----------------------------------------------------------------------------------------------------------------*
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *
6 years, 2 months
Keycloak SAML tomcat adapter and correct log-out
by Leonid Rozenblyum
Hello!
I'm using a keycloak tomcat SAML adapter and I have a question related to
?GLO=true way of logging-out (since Tomcat doesn't implement full JavaEE
stack, request.logout() is not the way to go, right?).
When I use GLO=true, my session inside the Keycloak is indeed invalidated
however the local session in Tomcat is not.
When I try session.invalidate() and then redirect to GLO=true, sometimes my
protected page still can be loaded.
Is there a robust documented way to do the logout with help of Keycloak
SAML tomcat adapter?
Thanks
6 years, 2 months
Can KeyCloak support Multi-lateral SAML federation?
by Chris Phillips
Hi.
I’m going through assessing KeyCloak as being able to be an Identity Provider in a multi-lateral SAML federation context and am seeking insight from the users and devs involved in KeyCloak.
For an IdP to be considered interoperable in a multi-lateral SAML trust federation context, IdPs need to be able to do a base set of functions. These are some of the critical (but not only) ones:
* Retrieve, with a configurable frequency (usually hourly), an online metadata aggregate
* validate the signature on the aggregate
* when signature validity is verified, load all the entities (Identity Providers/Service Providers) to be trusted or used in trust decisions in the Identity Provider.
I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could be missing something.
Is anyone using KeyCloak in this manner or are there plans for this functionality on KeyCloak’s technical roadmap?
Some additional items to decorate my ask for information..
To give an idea of scale, the aggregates I want to work with have ~4500 entities with 2800 IdPs and 2100 SPs and need to be refreshed hourly.
The list of items important for interoperability can be seen here with the ones I called out above appearing in section 2.2.1:
https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html
I’ve searched the keycloak-users list a bit and came across the reference to EntitiesDescriptor which lead me to this issue and code update in KeyCloak: https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to think that the support for reading in aggregates is not possible and maybe engineered out of the product itself. Am I right in thinking that?
Thoughts and insights welcome..
Chris.
___________________________________________________________________________________________
Chris Phillips
Technical Architect, Canadian Access Federation, CANARIE| chris.phillips(a)canarie.ca<mailto:chris.phillips@canarie.ca> |GPG: 0x7F6245580380811D
6 years, 2 months
Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names
by Niels Bertram
Hi there,
we have a requirement to set the jndi datasource name on a UserFederation
provider when added to a realm to support connecting different realms in
the same Keycloak server to different databases. Been through the examples
and read a few emails from around 2016 in the developer list but do not
find anyone who'd actually done this before. we could create a user managed
EntityManagerFactory within the federation provider factory but the
question is then how can we inject it into the container context and enlist
our transactions in the JTA?
Has anyone ever had to implement something like that?
Cheers,
NIels
6 years, 3 months
Uncaught server error: java.lang.OutOfMemoryError: Java heap space
by Arun Velayudhan
Hello,
We ran keycloak with some basic load (like auth, gettoken) for few hours at
theand after sometime Keycloak threw an Out-of-memory error. Has anyone
faced similar kind of problem. Would be keen to know what was done to
mitigate.
Version of Keycloak -> 4.0.0.Final.
=====
18:32:47,716 WARN [com.arjuna.ats.arjuna] (Transaction Reaper)
ARJUNA012117: TransactionReaper::check timeout for TX
0:ffffc0a80c38:-56b32ec9:5b6463c3:54bcab in state RUN
18:30:23,749 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-199) Uncaught server error: java.lang.OutOfMemoryError: Java
heap space
18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-219) Uncaught server error: java.lang.OutOfMemoryError: Java
heap space
18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-505) Uncaught server error: java.lang.OutOfMemoryError: Java
heap space
===============
Pls find with the startup configuration
===
19:46:33,121 DEBUG [org.jboss.as.config] (MSC service thread 1-7) VM
Arguments: -D[Standalone] -Xms64m -Xmx512m -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
-Dorg.jboss.boot.log.file=/DG/activeRelease/keycloak/standalone/log/server.log
-Dlogging.configuration=file:/DG/activeRelease/keycloak/standalone/configuration/logging.properties
==================
Arun
6 years, 3 months
LDAP Authentication - Extended Errors
by Mark Hunt
Hi,
I have been doing some development with Keycloak and specifically OpenID Connect, Password Grant and an LDAP user federation with Active Directory. Overall everything is working great but I am a little surprised that on a token refresh I get told that the user account is disabled but on a login I do not. The exception to this would be if I try to login with a disabled account after a user federation sync has occurred.
Is this a configuration issue or do you need to implement LDAP diagnostic messages for login?
Thanks for developing a fantastic product!!
Regards
Mark
6 years, 3 months
Group-Mapping
by Lahari Guntha
Hi All,
We are using keycloak of version 3.3.0.CR2.
I have my Keycloak integrated with LDAP.
I have configured many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP.
eg:
Users in LDAP: "user1"
Groups in LDAP: "group1","group2"
When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in the Keycloak UI page and we can also see the groups mapped to it.
Now I add the user "user1" into another group "group2"...
But now the newly added group is not reflected when click on User> Group Mapping.
Why Is this happening??
What is the solution to continuously sync the users with the groups they are present in/added newly automatically????
Thanks,
Lahari
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
6 years, 3 months
IdP selection based on email address
by Yann Jouanin
Hello,
We are using keycloak with multiple IdP from our customers. Because we don't want to offer a list of Idp (customer A can't use the idp of customer B), I would like to prompt the user for the email address first and decide then to redirect to a specific IdP based on the domain as an example.
Does somebody here can advise me on the greatest way to implement this behavior?
My first thought was to use a custom flow with a script, but I can't find how to specify the idp to use using script.
Best regards,
Yann Jouanin
6 years, 3 months
org.keycloak.keycloak-services
by Nikola Malenic
I developed an authentication provider and am trying to deploy it on the KC
server. My project depends on the Keycloak-services:
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-services</artifactId>
<scope>provided</scope>
<version>${keycloak.version}</version>
</dependency>
My version is the same as running Keycloak server.
I'm getting error:
java.lang.NoClassDefFoundError: Failed to link
rs/netset/aas/authenticator/user_pass/CustomUsernamePasswordForm (Module
\"deployment.aas-1.0.DEBUG.jar\" from Service Module Loader):
org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthe
nticator"}}
And wildfly succeeds in finding other dependencies, like keycloak-server-spi
etc.
Any clue why is this happening?
Many thanks,
Nikola
6 years, 3 months
How to delete an federated identity?
by Eric Wittmann
Apicurio uses Keycloak to support Account Linking with GitHub, GitLab, and
Bitbucket. Creating a link works well, but deleting the link does not.
It's been awhile since I've checked for this functionality - but is there
an API call in KC 4.x that Apicurio can use to delete the linked account
for an authenticated user?
Previously I was trying to use this:
/auth/realms/apicurio/account/federated-identity-update?action=REMOVE&provider_id=gitlab
But I don't think this ever worked, and it's definitely returning a 404 now.
In a related followup question - in Keycloak 4.3.0 (most recent testing) if
I delete the linked account record in Apicurio, I cannot re-create it.
When I try, the result is a PK violation in the Keycloak database. I can
work around this problem only by logging into Keycloak and deleting the
"Identity Provider Link" in Manage->Users. The URL Apicurio uses when
initiating an account link is:
/auth/realms/apicurio/broker/gitlab/link?nonce=abc&hash=xyz&client_id=apicurio-studio&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fstudio%2Fsettings%2Faccounts%2FGitLab%2Fcreated
If the user already has an identity provider link for "gitlab" then the
result is:
Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key
violation: "PRIMARY_KEY_40 ON PUBLIC.FEDERATED_IDENTITY(IDENTITY_PROVIDER,
USER_ID) VALUES ('gitlab', 'c0e35a37-ad19-49d1-a030-42ac1a1b1dae', 3)"; SQL
statement:
insert into FEDERATED_IDENTITY (REALM_ID, TOKEN, FEDERATED_USER_ID,
FEDERATED_USERNAME, IDENTITY_PROVIDER, USER_ID) values (?, ?, ?, ?, ?, ?)
[23505-193]
at
org.h2.message.DbException.getJdbcSQLException(DbException.java:345)
at org.h2.message.DbException.get(DbException.java:179)
at org.h2.message.DbException.get(DbException.java:155)
at
org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:103)
at
org.h2.mvstore.db.MVSecondaryIndex.checkUnique(MVSecondaryIndex.java:231)
at org.h2.mvstore.db.MVSecondaryIndex.add(MVSecondaryIndex.java:190)
at org.h2.mvstore.db.MVTable.addRow(MVTable.java:704)
at org.h2.command.dml.Insert.insertRows(Insert.java:156)
at org.h2.command.dml.Insert.update(Insert.java:114)
at org.h2.command.CommandContainer.update(CommandContainer.java:98)
at org.h2.command.Command.executeUpdate(Command.java:258)
at
org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:160)
at
org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:146)
at
org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
... 82 more
Seeking help on both issues. I'm likely just doing the wrong thing. :)
6 years, 3 months
