I have install Keycloak 6.0.1 Tomcat 7 adapter in Liferay 6.2 for SSO authentication and authorization.
I have download keycloak.json to our web application WEB-INF and add below for context and web tomcat XML.
The integration between Liferay and Keycloak SSO have no issue.
However I have a doubt about protected resources in <security-constraint> tag. Currently I have added /group/*, hence all URL path is /group value required to log in.
If I would like to add URL /admin/* to use Liferay login page instead of SSO Login page , how to do it ? Thanks
<Context path="/XXXX" crossContext="true" allowLinking="true">
Best Regards and Thanks
Wee Tat , Yeo (NCS)
Consultant, NCS Pte Ltd
WARNING: This e-mail transmission is intended only for the addressee. Privileged/Confidential information may be contained in this message. If you are not the intended addressee, you should delete it and must not copy, distribute it or take any action in reliance thereon. Communication of any information in this email to any unauthorised person is an offence under the Official Secrets Act (Cap 213). Please notify the sender immediately if you have received this by mistake.
I'm really struggling with this one. We can't send verification emails when
the docket image is behind a reverse proxy. I'm using nginx and everything
works apart from the email functionality, none of which works. We can get
tokens, verify tokens etc. But no email functionality works.
The realm functions fine on a local instance and sends emails as expected.
Can't see anything in the logs. This is a killer for us so if anyone has
any ideas please contact asap.
Hello Keycloak experts,
We have below challenges in out project where we are building User Access
Management using Keycloak.
1. *Offline User Sessions:* When a Offline token is used from two
different machines, There is only one Session that will be created and
session will have the IP address of the machine from where the User Session
is first created. Because of this we cannot suspect any suspicious activity
by hackers. Should n't we create different sessions even though same
offline token is used from different machines.
2. *Why there is no separate REST end point to get only Online User
Sessions: *Below REST end point returns all the User Sessions ie., both
Offline and Online User Sessions.
You help is much appreciated !
We are using Keycloak in a Spring Boot based application with Spring
Security. Now we need to add the realm somehow dynamically to the
request. As there is also the requirement to not use the default
Keycloak login page I decided to add a custom made login page for this.
My thoughts on this:
* I can change the redirect to the login url by setting it at the
KeycloakAuthenticationEntryPoint in the
* I could assemble the login url (with the realm) manually based on the
But now I feel a little bit lost. Even if I perform the POST request to
the Keycloak server, how do I announce this to the Keycloak Adapter and
instead? Can I somehow use the existing Java Keycloak Adapter?
Thanks for your help and best regards,
When checking the source code, I found, that this is already implemented with the "client-session-stats" endpoint. The only downside is, that it requires Keycloak v4 and older versions only return the sessions, but not offline sessions.
A global endpoint would be even nicer, but this is good enough and better than several hundred calls.
On 23.10.19, 20:19, Christian Becker wrote:
We've recently implemented a monitoring system, that's scraping the /session-count and /offline-session-count of each client. However we noticed, that this causes huge spikes on the Infinispan nodes (200k sessions and 2M offline sessions), also it's not very efficient and requires several hundred API calls.
Is there any metric system currently available that provides this data?
We're specifically looking for the per-client values as we had several incidents with misconfigured clients that created huge amounts of sessions. And we can never rule out reoccurrence, as long as per-client or per-user session limits are implemented.
I am using keycloak version 6.0.1. But when I change the language to
specific language other than English in admin console error messages are
still in English and not in selected language
*Steps to reproduce: *
1) Make sure "Internationalization Enabled" is "ON" for the realm
2) Go to respective realm login page, select a different language (other
than English) and login
3) Try to create scenario where keycloak throws error. Ex: create a user
with username which already exists.
4) Notice the error message is still in English not in the language you
selected at login page.
Please find attachment for error snapshot.
Is this expected behavior or a bug ? Please guide me through this.
I'm trying to find a documentation giving the list of MySQL versions that are supported by KeyCloak 4.8.3 and by the very latest 7.0.1, but I was not able to find it.
Can someone provide a pointer to that ?
Thanks a lot!
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Dear Keycloak team,
I have a question about the SAML implementation associated with the `Identity Providers` in Keycloak - Is it able to consume a (SAML) metadata file with many IdPs listed in it? Also I assume that it misses support for a discovery service that is necessary to handle multiple IdPs in one place. Can you please comment on the same.
I know I can manually configure single IdP in Keycloak.
Thanks in advance,
There is a Major bug opened since February this year, which prevents us from deploying Keycloak as an IDP, since we are using Java SpringBoot and ECDSA algorithm for signing the tokens:
We cannot change the signature algorithm due to other limitations.
Is there any plan to resolve that?
Can you speed it up?
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.