Keycloak self registration and Active Directory issues
by Chris Smith
My requirements are
1. Active Directory federation (really only as a Kerberos Server... I have a Windoze Only requirement imposed on me)
2. Keycloak self-regestration for users
3. Application and user maintenance done in as much Out Of Box Keycloak as possible
4. Application Admins should never have access to AD management.
I've set as many AD password policies as I can easily find or google to be as permissive as possible
Policy
Enforce password history, 0
passwords remembered, 0
Maximum password age, 0
Minimum password age, 0 days
Minimum password length, 1 characters
Password must meet complexity requirements, Disabled
Store passwords using reversible encryption, Not Defined
I've set KC password policies
Minimum Length 8
Uppercase Characters 1
Lowercase Characters 1
Expire Password 30
Special Characters 1
Not Username
Not Recently Used 25
Digits 1
KC Authentication
Required Action
Update Password disabled
So when a new user users self-registration, in AD, the user account is set to require password Change
Any advice on how to Change that
In Active Directory I remove the "Require password Change" on the user account
The KC user login fails with "invalid User or Password" error
If I try to Change the new Users Password in the KC Console,
Error! Could not modify attribute for DN [CN=xxx.yyyy,CN=Users,DC=xxx-sso,DC=com]
Any Advice on what is going on?
5 years, 4 months
IdentityProvider access to AuthenticationSession
by Ronaldo Hideki Yamada
Hi people,
I was implementing a PKCE handshake with an OAUTH provider, everything works, but by now my codeVerifier is static!
On method createAuthorizationUrl I can get a instance from request.getAuthenticationSession(), but on inner class I cant.
I need access to a instance of AuthenticationSession on Endpoint inner class. to retrieve an random string.
Some ideas?
==== Some parts of my code ======================
...
public class NeoIDProvider extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
implements SocialIdentityProvider<OIDCIdentityProviderConfig> {
public final static String codeVerifier = NeoIDUtil.S256("neoid");
public NeoIDProvider(KeycloakSession session, OIDCIdentityProviderConfig config) {
super(session, config);
}
@Override
protected UriBuilder createAuthorizationUrl(AuthenticationRequest request) {
return super.createAuthorizationUrl(request).queryParam("code_challenge", NeoIDUtil.S256(codeVerifier))
.queryParam("code_challenge_method", "S256");
}
@Override
public Object callback(RealmModel realm, AuthenticationCallback callback, EventBuilder event) {
return new Endpoint(callback, realm, event) {
@Override
public SimpleHttp generateTokenRequest(String authorizationCode) {
return super.generateTokenRequest(authorizationCode)
.param("code_verifier", codeVerifier);
}
};
}
...
======================================================
Ronaldo Hideki Yamada
Analista
Superintendência de Prod e Serviços-Eng de Infra de Tecnologia da Informação
Diretoria de Operações
(11)2173-1797
-
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."
5 years, 4 months
Keycloak Kibana integration
by Joerg Lammerich
Hello,
we are new in Keycloak and we want to integrate it in our Elasticsearch/Kibana.
We read a lot of documentation, but we are not able to get it run!
After the "login-Page" in Keycloak, we are redirect to the Kibana and we get a error like die sreenshot in the attachment.
What can we do???
Regards,
Joerg
5 years, 5 months
How do I integrate with a SAML federation
by BOOTH Stephen
I'm wanting configure keycloak to use authenticate against a SAML
federation (externally curated set of IdPs) rather than a single SAML
IdP. Specifically I want to support EduGAIN.
Is this something that keycloak supports natively? The form for
configuring a SAML Identity provider appears to assume a single IdP.
If not, does anyone have any suggestions for the best approach to
bridging a shibboleth SP into something keycloak can use as an Identity
provider.
Stephen
--
======================================================================
|epcc| Dr Stephen P Booth Principal Architect |epcc|
|epcc| s.booth(a)epcc.ed.ac.uk Phone 0131 650 5746 |epcc|
======================================================================
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
5 years, 5 months
Having multiple admin realms
by chamila
Hello,
I came across a requirement where we needed to allow a certain set of users
to perform a limited set of admin tasks like realm creation, user creation
etc. IIUC this is directly achievable by allocating those users to
`create-realm` role in the `master` realm. However the requirement demands
that the users should not be in the `master` realm itself. So the user
model is something like the following.
0. super users - Ops, and other super admins that take care of the most
privileged tasks like IdP federation, auth flows, etc - limited set of
users in the `master` realm
1. organization root users - users who act as admins for their realm and
are able to create other realms and add users to them, basically
organization admins (ex: `org1` realm)
2. realm specific users - users confined to their own realms (ex: `deptx`
realm)
In this model, `organization root users` should be able to create realms
but should not be part of the `master` realm itself. From the code I can
see that this requirement is not something possible as
org.keycloak.services.resources.admin.permissions.MgmtPermissions#canCreateRealm()
checks the following.
1. Is current realm the administrative realm
2. Does current user has `create-realm` role
However, is there a way to mark *multiple* realms other than `master` as
administrative realms so that those realms could have a realm role named
`create-realm` to be assigned to the above mentioned `organization root
users`?
Regards,
Chamila
Blog: medium.com/@chamilad
5 years, 5 months
Re: [keycloak-user] Keycloak as SP with ping federate
by Chris Stephens
Hello,
Thanks for responding so quickly. I was not able to see the error in the logs. However, after setting up a local instance of Keycloak I was able to track it down. You are correct I was not using SP-initiated SSO. After changing the configurations in Keycloak the relay state was being passed correctly. The client id was no longer null and I was able to authenticate.
Thanks again,
Chris
--
On 7/30/19, 2:27 PM, "Dmitry Telegin (Carretti Consulting)" <carretti.pro(a)gmail.com> wrote:
at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
at java.util.regex.Matcher.reset(Matcher.java:309)
at java.util.regex.Matcher.<init>(Matcher.java:229)
at java.util.regex.Pattern.matcher(Pattern.java:1093)
at java.util.regex.Pattern.split(Pattern.java:1206)
at org.keycloak.broker.provider.util.IdentityBrokerState.encoded(IdentityBrokerState.java:41)
at org.keycloak.services.resources.IdentityBrokerService.parseEncodedSessionCode(IdentityBrokerService.java:987)
at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:497)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:465)
5 years, 5 months
Unable to log in with keycloak-js on localhost in Microsoft Edge
by Lukasz Lech
Hello,
I'm unable to log-in on localhost (both using http://localhost and http://mylocalhostname ) using keycloak-js (https://www.npmjs.com/package/keycloak-js) on Microsoft Edge.
The problem is , that no POST is made to /auth/realms/REALM/protocol/openid-connect/token , only GET. On other browsers, or when using the same Edge to access the same app deployed remotely, there's both POST and GET made (BTW, why?).
The keycloak is deployed on remote machine.
I've tested keycloak-js versions 4.5.0, 4.8.3 and 6.0.1
The keycloak server configuration is identical in both cases.
Do anybody experience that behavior? Is this Edge blocking some requests on random criteria when the app is loaded from localhost?
Best regards,
Lukasz Lech
5 years, 5 months
Keycloak in Websphere
by Orth, Alexandra
Hello,
I want to ask about the feasibility of getting Keycloak to run in Websphere instead of Wildfly. I found this link from 2018 (https://dzone.com/articles/deploying-keycloak-in-tomcat) describing how to deploy to Tomcat and was wondering if a similar approach might work now.
Any advice and/or instructions would be appreciated!
Thanks,
Alexandra
5 years, 5 months
Keycloak process is killed during the booting-up and before the deployment of REST resources
by alhezmi@yahoo.de
Hi,
I managed to install locally the Keycloak as Standalone and tested with all required test cases fine.
But when I tried to run it on another host available on the public Internet, the Keycloak process is killed after the Hibernat process is started
"HHH000397: Using ASTQueryTranslatorFactory"
and before the process:
"RESTEASY002225: Deploying javax.ws.rs.core.Application: class org.keycloak.services.resources.KeycloakApplication", where I compare the log files of the local and remote processes.
What could be the reason for such termination?
The server log is attached as text file. I appreciate your feedback.
Best Regards/viele Gruesse, Adel Al-Hezmi
5 years, 5 months
