SAML Assertion Expiration v4.8.0
by gambol
Hiya
Was wondering if anyone else has come across this error before. After
upgrading to v4.8.0 users are complaining about intermittent login failures
via the federated IDP
09:14:46,188 INFO [org.keycloak.saml.validators.ConditionsValidator]
(default task-434) Assertion _cc9a97f8-2a30-49e8-bca5-8eefcd49d592 expired.
09:14:46,188 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
task-434) Assertion expired.
09:14:46,188 WARN [org.keycloak.events] (default task-434)
type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=xxxx, clientId=null,
userId=null, ipAddress=xxxxxxxxx, error=invalid_saml_response
The federated IDP is backed by ADFS
Googling around the issue seems to suggest a diff on clocks; but the time
on all the worker nodes (running in kubernetes) is all fine; and the
upstream broker (ADFS) said their time is fine.
Anyone seen this before? .. even better, anyone know of a solution? :-)
Thanks in advance
Rohith
4 years, 7 months
Theme caching
by Barish Yumerov
Hello,
I am running keycloack in a docker container using this iamge:
jboss/keycloak
I created a few themes, and disabled caching by editing
./standalone/configuration/standalone.xml as
<theme>
<staticMaxAge>-1</staticMaxAge>
<cacheThemes>false</cacheThemes>
<cacheTemplates>false</cacheTemplates>
...
</theme>
alghough this, I can see changes only if I restart the docker container.
I even clear all type of caches for the ralm in the admin pannel but
still I cannot see any changes :(
How I can clear cache without restarting docker container or is there
any setting that disables caching in dev mode?
Thank you in advance!
Best Regards,
B Yumerov
4 years, 7 months
Context based User Roles
by Siddhartha Moitra
Hi,
Recently started using Keycloak as our IAM. I have a use case where
user-roles can change based on some contextual data. The contextual data
can be stored as User Attributes but how do I map the user to the derived
role. All the roles exist as Realm roles. Any pointers will be much
appreciated.
Thanks,
Sid
4 years, 7 months
Keycloak Javascript Adapter - How Tied to Keycloak?
by Ben Ashley
Hi,
Bit of a strange question from me. How tied to Keycloak server is the
Keycloak Javascript adapter when it comes to enabling OIDC and OAuth2
flows? If we have a client application written using it, would it be
possible to replace Keycloak with another compliant identity provider (like
AzureAD or Auth0)?
Cheers,
Ben Ashley
4 years, 8 months
Using Keycloak Gatekeeper for Auth-Code-Flow over multiple microservices
by Seán Kelleher
Hi Stian,
> The alternative is to have a backend for your front-end that deals with
> obtaining tokens. The front-end uses a httponly cookie to be authenticated
> against the backend, but never has access to the token directly. This has
> the limitation that front-end and backend has to be hosted on same domain
> and if you need to call external services it needs to be proxies through
> the backend. It is harder to do though.
Would it make sense to use Gatekeeper for this? The backend could require
bearer
tokens as usual but Gatekeeper could be in charge of using the authorisation
code flow to log the user in and proxying the frontend's requests to the
backend, mapping the cookies to the corresponding bearer tokens. It's
probably
more limiting than your solution for handling external services, but it
could be
a quick way of setting up this type of token handling?
Kind regards,
Seán.
4 years, 8 months
Keycloak admin rest api performance
by Mark de Jong
Hi,
Keycloak starts to having high latencies when there are 50–100 concurrent users interacting with the Admin REST API. I tested this by using Gatling and run a specific flow which involves calling the Admin REST API.
Keycloak uses a H2 database during the performance test.
Keycloak is ran in a docker container within docker for Mac.
We are using the following endpoints frequently:
POST /users - to create a new user
GET /roles - to get realm roles
POST /users/{userId}/role-mappings/realm - to assign realm roles to a user
I tried increasing memory in the JVM flags, but that didn’t help.
It shouldn’t be a problem to have that many users right ?
How can I diagnose what’s going on?
Is there a metric endpoint (Prometheus available)?
Are there any other diagnostics I can run?
Greets,
Mark
4 years, 8 months
SLO in Identity Brokering
by Karol Buler
Hi Keycloaks!
We have a Keycloak as an Identity Broker (KC) and external OIDC Identity
Provider (EIDP), which we integrate with Keycloak.
Our Android/iOS application is integrated with the Keycloak, but
Authentication is handled by EIDP.
There is also another Android/iOS application integrated only with EIDP.
SSO is working very well in both ways. SLO in the way KC -> EIDP also is
working. The problem is when user is logging out from the application
integrated only with EIDP. KC doesn't know anything about this logout
and Android/iOS application integrated with KC is still logged in. The
question is how we should do that in the proper way?
BR, Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.
4 years, 8 months
Login and Logout between two application on different subdomains
by Tom Pearson
Hi,
We have two applications on different subdomains. One is written with
Grails 2 and the other with Laravel. The Grails app is integrated with
Keycloak via a modfied Spring Security plugin and the Laravel app with
Socialite. Individually both work correctly.
However, when a user logs to one, we want them to be automatically logged
in the other. Similarly, when the user logs out of one, we want them to be
automatically logged out of the other. This is not working.
Both applications use the same client and realm. Any help would be
appreciated as we have no solution to this apart from maybe using a custom
cookie.
Regards,
Tom Pearson
4 years, 8 months
Users to group mapping
by Shetty, Shweta
Our login times are not acceptable with keycloak since during the login keycloak is doing the users to the group mapping. Is there any way we can seperate the two concerns of logging in (validating the password vs this group mapping). Is there a way to schedule this users to group mapping in the background after the login is finished ? Any input is appreciated , since we do have large groups which the users belong too and the performance is painfully bad.
Shweta
4 years, 8 months
How to add gidNumber and uidNumber when federated with openLDAP
by Shiva Prasad Thagadur Prakash
Hi Guys,
I am trying to find a way to populate the gidNumber and uidNumber when a user is created in LDAP via Keycloak. I don't want to use hardcoded-attribute-mapper as it would put the same value to all the users. Is there is a way to populate these values when a user is created at the Keycloak side?
For "posixAccount" in LDAP these are MUST be present attributes and LDAP throws error if these values are not present when a user is created. Eagerly waiting for your reply.
Thanks,
Shiva
4 years, 8 months
