Is it possible to get user info from external OIDC provider and then match it against LDAP provider and get rights from there when using Keycloak?
by Mart Abel
Does anybody know if this is possible?
I have setup external OIDC provider and I have setup external LDAP provider. I want the flow to be like this:
1. User has logins using OIDC provider
2. Get a token from OIDC provider and check the "sub" field against LDAP provider
3. If it exists there, then login user and add the rights from LDAP
4. If no LDAP user exists with that sub then login fails.
This OIDC contains no rights or anything, just a plain info about person.
Is it possible to do with Keycloak?
Or it's earier to do something custom myself.
________________________________
Disclaimer: This email and its attachments might contain confidential information. If you are not the intended recipient, then please note that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Please notify the sender immediately by replying if you have received this e-mail by mistake and delete it from your system. Kindly note that although Finestmedia and its subsidiaries have taken reasonable precautions to ensure that no viruses are present in this email, Finestmedia and its subsidiaries cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
5 years, 1 month
Setting custom redirect URI in SAML Identity Provider
by Edgar Vonk - Info.nl
Hi,
We use a SAML Identity Provider configuration in Keycloak to broker identities to an external SAML-based Identity Provider. This works fine but now we have the requirement that after authentication the user needs to be redirected first to a reverse-proxy and only then back to us (as in: Keycloak). I.e. we need to configure a custom redirect URI in our SAML Identity Provider in Keycloak..
However this redirect URI seems to be generated on-the-fly in Keycloak and the hostname part seems always set to the host where Keycloak runs on?
Our question is: is this redirect URI configurable at all and if not, how could we go about setting it ourselves (the hostname part at least)? I guess that we would need to create our own custom Identity Provider (e.g. extension of the SAMLIdentityProvider and related Java classes) and install this in Keycloak?
5 years, 1 month
Error extracting SAML assertion
by Edmond Kemokai
Hi All,
I am getting below exception when positing a saml response to /saml
consumer endpoint:
org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler
- Error extracting SAML assertion: null
A snippet of the response, I have stripped out the signature information:
<saml2p:Response xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
ID="SOLVENT_72186bc0-0724-439c-a4a4-d1768907d1a0"
InResponseTo="ID_9c0491da-5a6f-465a-8b66-a9b7784e0eef"
IssueInstant="2019-02-22T17:19:46Z" Version="2.0">
<saml2:Issuer>Portal</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode>
</saml2p:Status>
<saml2:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
ID="SOLVENT_93f7919c-c92a-45ab-8d79-380e072b235b"
IssueInstant="2019-02-22T17:19:46Z" Version="2.0">
<saml2:Issuer>Portal</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">ek(a)gmail.com
</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
InResponseTo="ID_9c0491da-5a6f-465a-8b66-a9b7784e0eef"
NotOnOrAfter="2019-02-22T17:20:46Z"></saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2019-02-22T17:19:46Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">ek(a)gmail.com
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="roles"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue
xsi:type="xs:string">developer</saml2:AttributeValue>
<saml2:AttributeValue
xsi:type="xs:string">sysadmin</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
5 years, 1 month
'User not found' for existing users on login
by Louie, Betty
Hello,
We’re encountering a weird issue for one of our users where they’re unable to login even though their account exists. We’re able to see their account through the admin console and we’re able to impersonate as the user to access our application but when we attempt to login through the login forms, we get the following error/warning:
WARN [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=demoRealm, clientId=demoClient, userId=null, ipAddress=127.0.0.1, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://mydomain.com/demoRealm/#/, code_id=485242e7-bddf-4381-b33d-0e0ab9f56922, username=demoUser
Our users are stored in a postgres db and we’re not doing anything special with our authentication flow. So far, this issue is specific to one user and we’d like to understand why this is happening. Has anyone else encountered this issue and was able to resolve it short of deleting their account? Or if anyone has any ideas and could point us in a possible direction, that’d be great! We’re unsure of how a user could even get into a state like this in the first place.
Thanks,
Betty
5 years, 1 month
Encouraging users to set up OTP, without enforcing it.
by Ian Rodgers
In the Keycloak UI/UX is there a recommended way of prompting and regularly reminding users that they should set up OTP on their account?
We don't want to remind users on every single log-in, just occasionally.
We don't want to remind users who have already set it up.
Thanks,
Ian R.
5 years, 1 month
Controlling Admin Role in Keycloak
by Mike Wakim
Hello,
We have a use case whereby we would like to create an admin user in
keycloak, and we want this admin user to be able to create new users with a
specific role. We want this admin user to only be able to manage users that
were created by him, we do not want the admin user to be able to manage any
other users in the realm.
Is this something that can be managed on the keycloak side? Essentially,
we'd like to have a more fine-grained version of the manage-users role,
limiting which users an admin can manage.
Any feedback / guidance on this would be much appreciated!
Thanks,
Mike
5 years, 1 month
User Groups/Roles in an Identity Brokering scheme
by Andy Yar
Hello,
I'm not sure how to approach following scheme of identity brokering
via OpenID Connect/OAuth2.
The idea is having a following scheme:
* Running a bunch of different applications build with RBAC in mind
having their own Keycloak instance
* Employing a hosted central Identity Provider (AWS Cognito, Auth0,
etc.) which manage keep the user base + user groups
* The application Keycloaks being configured to use the central IdP in
a federation.
* Each application Keycloak keeping a definition of application
specific roles and group -> role mappings
The auth flow would go like this:
* When accessing an app, user would be redirected to and authenticated
by the federated central IdP
* The central IdP would somehow (???, custom OAuth2 claims?) provide
list of user's groups
* Keycloak would map these groups to its local groups and transitively
to its roles
* The app would perform RBAC authorization based on the mapped roles.
So far I wouldn't manage to pass and map the IdP's groups to Keycloak's ones...
We want to simply keep and manage the user base + groups in a
centralized manner. But use application specific Keycloaks for the
role handling.
===============
Is this schema viable? Is there a better approach? Would a pure LDAP
solution fit better? Would a SAML-based approach provide benefits?
Thanks in advance
5 years, 1 month
Call Custom Restendpoint
by Eric Rath
Hello,
Implementing a custom rest endpoint in keycloak I used these example:
https://github.com/keycloak/keycloak/tree/master/examples/providers/domai...
After embedding the provider to keycloak it's loaded while keycloak
startup. Guess that's fine. In server info I can see the the endpoint as
well.
Problem:
How may I call that endpoint?
Do I need to registrate the endpoint or mount it on a client?
(If so which settings does the client need (admin rights etc...)
What is the URL for calling the endpoint?
Thanks,
Eric
Deutsche Bahn Connect GmbH
DB FuhrparkService GmbH
Mainzer Landstrasse 169-175, 60327 Frankfurt am Main
-----------------------------------------------------------------------------------------------------
Internetauftritt der DB Fuhrparkservice >> http://www.dbfuhrpark.de
Sitz der Gesellschaft: Frankfurt am Main
Registergericht: Frankfurt am Main, HRB 52 180
USt-IdNr.: DE 813214880
Geschaeftsfuehrer: Juergen Gudd (Vorsitzender), Moritz Rohrschneider
5 years, 1 month
Query string lost on redirection with keycloak as Broker and ADFS as IDP
by David Rodriguez
I have integrated keycloak with a web application using the java adapter
(no changes on the Angular frontend, just backend) We have several clients
in our aplication, and we have the option of chosing among them through a
query string on the URL. For example:
https://localhost:8443/myapp/#/login?client=TEST-CLIENT
If I use Keycloak as an IDP, it works fine, as the query string is kept.
But using ADFS as an IDP, the quey string is lost, so I don't get to the
correct client (TEST-CLIENT in this case) when redirected.
Any idea how to keep the whole url in order to make it work?
5 years, 1 month
Password in plain text
by David Rodriguez
Hi. I am just implementing keycloak, and taking a look at the calls, I see
that the password is shown in text plain in the developer tools. Is that
the expected behaviour?
[image: keycloak_bug.png]
Thanks in advance!
--
David Rodríguez Ortiz
--
David Rodríguez Ortiz
5 years, 1 month
