I'm trying to sync the LDAP groups into Keycloak but it doesn't update the
membership if I add or remove it from a group in LDAP.
I was able to sync the groups and its users into Keycloak correctly if
those wasn't provisioned before. For example, if the user already exists in
Keycloak DB (provisioned from LDAP) and I remove it from a LDAP group (also
provisioned from LDAP), the user in Keycloak continues to being a member of
the group in the Groups tab of user's details screen and in client's group
mappers. However, if I open the Members tab of group's details screen the
user was removed from the group.
Is there any way to solve this problem? Because of my company policy I
can't use Keycloak to manage the groups.
I'm using Keycloak 2.5.1.
Thanks for the help
The AWS ALB will allow you to authenticate to cognito or OIDC nowadays.
I thought "Great, I can connect it up to my KeyCloak".
Sadly not. Well, I can connect it to KeyCloak and see sensible looking
headers and JWTs flowing back and forth.
And then the ALB says "500 Internal Server Error" :-(
I can see a request to keycloak (from the client) :
And it 302 redirects back to the ALB :
On the KeyCloak server I can see the POST requests from the browser coming
in and hitting the authenticate URL, KC hands back a 302 (the URL above)
Then the ALB does a POST to the token endpoint and gets a 200 response with
a nice chunk of access token. I can decode it and see my details quite
happily. I even validated the signature. (Using jwt.io 's debugger.)
Although the ALB doesn't ask for the certificate at any stage, so I don't
think it even bothers validating it.
But it doesn't seem to like it. And gives me a 500 error.
(I can authenticate with Google OIDC without any trouble...)
(NB Any secrets in any of those strings won't get you very far, there is no
content yet :-) )
Is there a way to remove the carriage returns keycloak uses in the saml
assertion token? This is incompatible with Websphere idAssertion using
keycloak as the Identity provider. Ex, notice the
characters in the
Dear Keycloak users.
I am very new to keycloak and I really like it. it is great.
I am currently migrating a legacy app ( using it's own user management ) to
I have set-up keycloak with openid connect and it works very well. At this
point we need to decide
if we will use keycloak as our main user store or we will set-up an LDAP.
My question is that. Is keycloak designed in a way that it can fullfil all
the responsibilities of the main user store?
Any risk with this at all?
ps: our userbase is small and at this point I am not sure if we want to add
ldap just for this.
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *
1. After obtaining a token from keycloak, I am able to
authenticate/authorize user with this token.
2. After sometime(15-20 minutes), I start receiving *"Failed to enforce
policy decisions"*. If the same token was valid a few minutes before,
shouldn't I get the "*token expired*" message instead of "*Failed to
enforce policy decisions*"?
My access token lifespan is set to 8 hours. Still I see this behavior after
just 15-20 minutes. Attached image for token expiry settings:
I'm using a keycloak tomcat SAML adapter and I have a question related to
?GLO=true way of logging-out (since Tomcat doesn't implement full JavaEE
stack, request.logout() is not the way to go, right?).
When I use GLO=true, my session inside the Keycloak is indeed invalidated
however the local session in Tomcat is not.
When I try session.invalidate() and then redirect to GLO=true, sometimes my
protected page still can be loaded.
Is there a robust documented way to do the logout with help of Keycloak
SAML tomcat adapter?
I am trying to add Identity Broker based on OpenID Connect to my
Keycloak. Everything is fine, redirecting to login page is working,
but... always is "but" :) I've got error in Keycloak:
org.keycloak.broker.provider.IdentityBrokerException: No access_token
What I found is that the Keycloak doesn't send the "Authorization"
header in request "code-to-token". Is it bug/feature or am I missing
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
I’m going through assessing KeyCloak as being able to be an Identity Provider in a multi-lateral SAML federation context and am seeking insight from the users and devs involved in KeyCloak.
For an IdP to be considered interoperable in a multi-lateral SAML trust federation context, IdPs need to be able to do a base set of functions. These are some of the critical (but not only) ones:
* Retrieve, with a configurable frequency (usually hourly), an online metadata aggregate
* validate the signature on the aggregate
* when signature validity is verified, load all the entities (Identity Providers/Service Providers) to be trusted or used in trust decisions in the Identity Provider.
I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could be missing something.
Is anyone using KeyCloak in this manner or are there plans for this functionality on KeyCloak’s technical roadmap?
Some additional items to decorate my ask for information..
To give an idea of scale, the aggregates I want to work with have ~4500 entities with 2800 IdPs and 2100 SPs and need to be refreshed hourly.
The list of items important for interoperability can be seen here with the ones I called out above appearing in section 2.2.1:
I’ve searched the keycloak-users list a bit and came across the reference to EntitiesDescriptor which lead me to this issue and code update in KeyCloak: https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to think that the support for reading in aggregates is not possible and maybe engineered out of the product itself. Am I right in thinking that?
Thoughts and insights welcome..
Technical Architect, Canadian Access Federation, CANARIE| chris.phillips(a)canarie.ca<mailto:email@example.com> |GPG: 0x7F6245580380811D
I am having trouble using Keycloak as the external provider to our
Websphere Application. I received the following response from IBM support:
I discussed the issue with our SAML SSO SME. He found in SAML token,
besides X509Certificate, it also contains RSAKeyValue (<dsig:RSAKeyValue>).
This document states:
RSAKeyValue is supported for the KeyInfo element in a Signature. However,
the X.509 certificate is not available when using RSAKeyValue. When the
X.509 certificate is not available to the runtime, the signer of the SAML
Assertion cannot be checked against a truststore. If you want to receive
SAML Assertions that use RSAKeyValue you cannot configure the runtime to
use a truststore.
Can you config the idP so that it only sends X509 certificate, not RSAKey?
Is it possible to remove the RSAKeyValue from the saml token and still send
just the certificate?
I have just published a first version of a generic Keycloak SDK based on
Docker fully managed by Maven. I would like to understand if this first
work can be useful for the current Keycloak development.
I'm also interested to know if there are developers interested to
contribute in this project.
I'm wondering if this project can be improved as a Maven Archetype with
dynamic parameters for generating components only if needed by developers.
I mean without having all the Maven modules for components that you don't
need to extend or create.
Please let me know what you think and how this project can be extended to
become more helpful for the overall community.
Thank you and hope this helps.