Are you using Drools Policy ?
by Pedro Igor Silva
Hello,
We would like to know if anyone from the community is using a Drools Policy
in Keycloak.
If you are using Keycloak Authorization Services, please let us know in
advance if you are using Drools because we are planning to remove it in
future releases.
The reason for removing it is related to:
* Number of dependencies required by Drools, thus making harder long term
support, CVE, and productization
* Very few demand from community (currently the policy is disabled by
default
Thanks,
Pedro Igor
6 years, 7 months
IDENTITY and SESSION cookie not getting set (KEYCLOAK-8137)
by Boris Matthys
Hi,
we have a use-case for the KeycloakInstalled adapter, but this does not
work as expected; after login in the desktop application, there is no SSO
to the web-applications.
I have traced this to an open issue created for keycloak 4.x:
KEYCLOAK_IDENTITY and KEYCLOAK_SESSION cookie not getting set (KEYCLOAK-8137
<https://issues.jboss.org/browse/KEYCLOAK-8137>)
and a closed pull request https://github.com/keycloak/keycloak/pull/5607
I'm using keycloak version 6.0.1, here is a procedure to reproduce this
issue:
- use
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/c...
to login to keycloak
- do not close the browser and open /auth/realms/demo/account/ in a new
tab
I expect that the account page opens without login, but this is not the
case, keycloak present the login page.
Is there a reason that the pull request was closed without merging it?
There is a comment "my vote is to postpone this and merge it in early 5.x,
so we have time to fix potential regressions/side-effects in 5.x " and "we
need to understand this a bit better", but no explanation why the cookies
are (should be) removed by the delegate page.
If this cannot be solved, we'll need a workaround.
I'm thinking in the direction of creating our own version of the
KeycloakInstalled adapter and use a simple "login web-application" in front
of keycloak...
Is this a good approach or are there better ways to accomplish this?
Kind regards
Boris
--
**** DISCLAIMER
<https://media.tvh.com/content/pdf/various/Email-disclaimer.pdf> ****
This
message is delivered to all addressees subject to the conditions set forth
in the attached disclaimer, which is an integral part of this message.
When you communicate with us via e-mail, telephone, fax or via our website,
we process your personal data. For more information on how we process your
personal data, please consult our Privacy Policy
<https://www.tvh.com/privacy-policy>. By communicating with us, you
unambiguously consent to our use of your personal data as explained in the
Privacy Policy.
6 years, 7 months
Metrics Endpoint Memory Leak
by Daniel.Meyerholt@eventim.de
Hi guys,
can somebody of you share some insights regarding memory leaks when scraping the /metrics endpoint on keycloak? A Jira Ticket already exists https://issues.jboss.org/browse/KEYCLOAK-10880 for some time but there seems to be no progress. As far as I can tell it seems to be related to internal keycloak/wildfly service integration and is not related to jdk versions/variants or means of deployment (bare,vm,container).
We'd love to use the new endpoints in order to integrate them in our Grafana dashboards and are happy to provide more information. Apparently 7.0.0 is also affected. To reproduce the behaviour just issue a ton of GETs on the metrics endpoint. The more you GET the faster it dies.
Thank you for any hints
Best
Daniel
6 years, 7 months
force renewal of authentication
by xljbi20
Hi
I have successfully set up x509 authentication for me as a user with
openidconnect.
Starting a clean browsersession will prompt me for my certificate
password to logon.
But next time I visit the same application my earlier session is reused,
this is of course nice for the user but if the administrator wants to
force a real renewed authentication it is not OK.
I have tried passing login=prompt but this makes no difference.
How can I force a real renewal?
6 years, 7 months
Keycloak behind two different proxies
by Yang Yang
Hello,
I have a use case where Keycloak needs to be deployed behind two different proxies: UserA —> ProxyA —> Keycloak <— ProxyB <— UserB, could you help to tell how to make it work?
I followed the installation guide and got it work for UserA/ProxyA or UserB/ProxyB, but cannot make it work for both. This major problem is, rather than two different providers for UserA/ProxyA and UserB/ProxyB respectively, I can only set one fixed provider.
Can anyone shed some light?
Thanks,
Yang
6 years, 8 months
Re: [keycloak-user] Enable CORS on token endpoint
by David Sautter
Hi Sebi,
yes I did. I tried different configurations (* or the exact urls).
I can now narrow the problem down to the fact, that the token exchange is done in a popup.
My website is hostet at localhost:4200 and the popup is localhost:4200/signin.html.
If my website does the token exchange everything is fine, if the popup tries it, it fails.
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
From: Sebastien Blanc <sblanc(a)redhat.com>
Sent: Thursday, September 5, 2019 10:50 AM
To: Sautter David 1DS5 <David.Sautter(a)rohde-schwarz.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: *EXT* Re: [keycloak-user] Enable CORS on token endpoint
Hi,
Have you set the "Web Origins" field in the client configuration on the keycloak webconsole ?
That should be enough.
Sebi
On Thu, Sep 5, 2019 at 10:47 AM David Sautter <David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>> wrote:
Hello,
I’m trying to do OpenId Connect Authentication using the Authorization Code Flow with the client library openid-client-js library. It behaves conformant to the specification.
If you are doing the Authorization Code Flow without using a server-side component to exchange the code for a token (which you can/should do according to the security best practices recommendation), you run into a problem. The browser needs to exchange the code for a token and therefore perform a CORS request on the token endpoint.
The token endpoint currently does not have CORS enabled, as far as the response is telling me.
How to enable it?
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com><mailto:David.Sautter@rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years, 8 months
Not able to extend User Storage SPI without changing Keycloak configuration files
by David VS
Goal:
Setup custom federation which extends ldap provider.
Question: What is the proper way to extend the ldap federation while adding
one more configuration input? (without changing internal keycloak files)
I followed the steps in
https://www.keycloak.org/docs/latest/server_development/index.html#_user-...
and specify my own provider and providerFactory,
In admin console, when trying to create the federation "custom-ldap", most
of the input fields do not have a label and some buttons like "Test
connection" are missing. The configuration property that I added and
customized has label/default value/tooltip.
If it is not possible to extend the form, is there an easy way how to
inherit the same UI form from the ldap federation page in my extension?
(Im new to keycloak, and do not have experience with Freemarker).
Thank you so much for your support,
David
6 years, 8 months
Enable CORS on token endpoint
by David Sautter
Hello,
I’m trying to do OpenId Connect Authentication using the Authorization Code Flow with the client library openid-client-js library. It behaves conformant to the specification.
If you are doing the Authorization Code Flow without using a server-side component to exchange the code for a token (which you can/should do according to the security best practices recommendation), you run into a problem. The browser needs to exchange the code for a token and therefore perform a CORS request on the token endpoint.
The token endpoint currently does not have CORS enabled, as far as the response is telling me.
How to enable it?
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
6 years, 8 months
Admin API permission enpoints for token exchange
by James Mitchell
Can I get a pointer to any admin api endpoints to enable permissions for an
identity provider to perform token exchange, and an endpoint to create the
client policy for the permission?
Firstly, I know this would all do away if I create identity providers and
redirect to Keycloak to handle the whole oauth process... but then I think
that would break all the existing redirect urls I have provided to the
external oauth services, so I'm reluctant to do that. I'd prefer a behind
the scenes migration.
So, my use case is that I have existing site with server code that
authenticates users with external services then grants access to the site.
I have migrated all the internal users to a Keycloak auth, and now I'm
looking at how to exchange the tokens from the external service for valid
Keycloak tokens.
Following the steps from the documents, I can automate the following steps
* create an identity provider fro the external service, and fill in all the
endpoint and client ids
* lookup the existing user (they are guaranteed to exist) and link them to
the new IDP
* < this is the missing step for automations >
* perform the token exchange, which now works OK with my Google test user
My problem is that I need to enable the permissions, and create the policy
to allow the IDP to do token exchange; and I have not found which API
endpoints will do that.
Can someone point me at the right documents, or a keyword to search form in
the Admin REST API document?
Thanks,
James
----
*James Mitchell*
Developer
e: jamesm(a)suitebox.com
w: www.suitebox.com
*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
6 years, 8 months
Re: [keycloak-user] Use keycloak classes from a custom Authenticator: NoClassDefFoundError
by Daniel.Meyerholt@eventim.de
Hi,
I do not know your exact project setup but you have to declare any dependencies as wildfly isolates classloaders.
As AbstractIdpAuthenticator is included in the keycloak-services module, you can use this In the jar's META-INF/MANIFEST.MF:
Dependencies: org.keycloak.keycloak-services
Maybe additional Modules have to be included as well.
See appropriate documentation of how to do this in your favourite build tool.
See http://docs.wildfly.org/17/Developer_Guide.html#ear-class-loading (applies to keycloak's jar mechanism as well)
Best
Daniel
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> Im Auftrag von Christophe de Vienne
Gesendet: Mittwoch, 4. September 2019 11:32
An: keycloak-user(a)lists.jboss.org
Betreff: [keycloak-user] Use keycloak classes from a custom Authenticator: NoClassDefFoundError
Hi everyone,
I want to write a custom Authenticator that borrow code from AbstractIdpAuthenticator (or better, extends it).
However, as soon as my authenticator attempts to load a class from the keycloak-services package, I get a NoClassDefFoundError. For example:
08:24:53,608 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-6) Uncaught server error: java.lang.NoClassDefFoundError:
org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext
I used the authenticator example provided in the examples directory as a base for writing the pom.xml file.
Should I be able to use or extend keycloak classes from within my provider (packaged as a jar, I also tried wildfly:deploy)?
If so, what am I missing?
I also posted a question on stackoverflow, you may find some relevant detail in it:
https://stackoverflow.com/questions/57778240/noclassdeffounderror-in-a-pr...
Thanks,
Christophe
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years, 8 months
Mapping Claims from Identity providers
by Konsulent Thomas Isaksen (TNO)
I have configured Azure as my identity provider and I am assigning roles to my users in Keycloak based on claims I get from Azure.
Once I have defined one or more Role Mappers and sign in with my Keycloak user for the first time the mapping is done and working as expected, however,
once I create additional mappings the roles of the user are no longer updated. The only way to get an updated mapping is to delete my Keycloack user and sign in again.
I tried to look it up in the documentation:
Mapping Claims and Assertions
https://www.keycloak.org/docs/3.2/server_admin/topics/identity-broker/map...
..
"Each new user that logs into your realm via an external identity provider will have an entry for it created in the local Keycloak database. The act of importing metadata from the SAML or OIDC assertions and claims will create this data with the local realm database."
...
Does this mean that I cannot expect new claim mappings to apply to existing users? Is there any way to do this ?
( I did send this message in April but it never showed up in the mailing list)
--
Thomas Isaksen
6 years, 8 months
[keycloak-dev] How to add custom LDAP attribute mapper
by Shiva Prasad Thagadur Prakash
Hi Guys,
I want to add a custom LDAP user attribute mapper to Keycloak. How can I do
this?
Actually I wanted to have an LDAP attribute mapper which would have some
initial value hardcoded for an LDAP attribute but the attribute value can
be edited/changed later.
Thanks,
Shiva
6 years, 8 months
Testing Application Security
by Vikram
Hi All,
I am currently trying to test the security of my website. Assuming that
a hacker gets through Keycloak, is there a way to test how secure my web
application (website) is ? Or is it necessary to test this ?
Regards,
Vikram
6 years, 8 months
Prior consent for keycloak cookies
by Vikram
Hi all,
Is there any documentation on how to set up prior consent for cookie
usage for a website secured by keycloak ?
Regards,
Vikram
6 years, 8 months
Automating user federation config on startup
by Gary Kennedy
Just about to dive into this, but wondering if anyone can share any information they have to save me some time/effort?
I'm looking to setup an isolated review instance of keycloak via automated build pipelines with isolated support dependencies (ldap, db, etc). The ldap, and db, host names are dynamic. Pointing to the database is easy (thanks to the environment variable support), however I don't know how (or if) it can be done for the user federation setup/config. I'm guessing/hoping I can use the subsystem cli config on startup, but that idea may just be showing my ignorance.
Has anyone done/tried this before and can share their experiences please?
Cheers,
Gary
6 years, 8 months
Extending User Account Service
by Michael Humphries
Hi all,
I want to know if it is possible to add email verification in front of the
User Account Service or if this feature is in the works at all?
If not, is it possible to extend the SPI in some way to leverage the User
Account Service to achieve this?
Essentially I want a situation where;
1. a user goes to update their TOTP information by clicking the link that
takes them to /account/totp.
2. they are presented with a screen saying that they have been sent an
email.
3. they click the link in the email.
4. they are taken to /account/totp where they can update their information.
It is probably important to note, but also pretty obvious, that the user
cannot just navigate to a static /account/totp as this would defeat the
purpose of this feature.
Any advice/help would be much appreciated.
Thanks
Mike
6 years, 8 months
Use keycloak classes from a custom Authenticator: NoClassDefFoundError
by Christophe de Vienne
Hi everyone,
I want to write a custom Authenticator that borrow code from
AbstractIdpAuthenticator (or better, extends it).
However, as soon as my authenticator attempts to load a class from the
keycloak-services package, I get a NoClassDefFoundError. For example:
08:24:53,608 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-6) Uncaught server error: java.lang.NoClassDefFoundError:
org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext
I used the authenticator example provided in the examples directory as a
base for writing the pom.xml file.
Should I be able to use or extend keycloak classes from within my
provider (packaged as a jar, I also tried wildfly:deploy)?
If so, what am I missing?
I also posted a question on stackoverflow, you may find some relevant
detail in it:
https://stackoverflow.com/questions/57778240/noclassdeffounderror-in-a-pr...
Thanks,
Christophe
6 years, 8 months
Permission fro token exchange
by James Mitchell
I am trying to use the token exchange preview feature.
I have enabled it OK, and can see it in the UI server info as a preview
feature (not a disabled feature).
But I'm getting an error, that the client is not allowed to perform the
exchange. The docs clearly say that I need to enable a permission on the
Identity Provider
https://www.keycloak.org/docs/6.0/securing_apps/index.html#_grant_permiss...
My problem is that I do not see the Permissions tab when I look at the
IDP... :(
Can anyone suggest why the Permissions tab might be hidden?
Thanks,
James
----
*James Mitchell*
Developer
e: jamesm(a)suitebox.com
w: www.suitebox.com
*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
6 years, 8 months
Using CILogon as an Identity Provider inside Keycloak
by Dockendorf, Trey
I have Keycloak 6.0.1 setup with CILogon Identity Provider and the only flow I’m able to get working is “browser”. The goal is that when someone logs into CILogon and are redirected back to Keycloak they would have to somehow map their CILogon identity to their read-only LDAP identity in Keycloak. We do not allow creation of users in Keycloak, all users come from LDAP and the LDAP config is set to read-only. I’ve managed to get this working by using the “browser” first login flow. I’ve tried modifying the first broker login flow but that has not worked. I’m curious if anyone else has setup Keycloak with CILogon and if so how they handled mapping the CILogon identities to Keycloak users.
Thanks,
- Trey
6 years, 8 months
JBoss EAP/WildFly Adapter - JAAS Login Module for OTP
by R M
Hi
According to the Security APP Documentation , I can provide an adapter
config file in WAR and change the auth-method to KEYCLOAK within web.xml.
Alternatively, I don’t have to modify WAR at all and I can secure it via
the Keycloak adapter subsystem configuration in the configuration file,
such as standalone.xml
But my app have a FORM Login Authentication mechanism: in web.xml I have so
<login-config>
<auth-method>FORM</auth-method>
<realm-name></realm-name>
<form-login-config>
<form-login-page>/Login.jsp</form-login-page>
<form-error-page>/LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
and accoding to this the Login.jsp is submitting value to the
"j_security_check"
I want continue to use this but I want KEYCLOAK take control to check
credentials (and manage the OTP)
It is not clear (not able to found) if there is some "standard" adapater or
login module available and the "name" to give to the OTP field in the login
form
e.g. using PicketBox
https://developer.jboss.org/wiki/OTPIntegrationWithJBossApplicationServer
but now PicketLink and Keycloak projects are merged and I want to use a
similar way using OTP and the Keycloak server
So I'm looking for the Keycloak replacement of JBossTimeBasedOTPLoginModule
(and related setup)
<login-module
code="org.jboss.security.auth.spi.otp.JBossTimeBasedOTPLoginModule" />
Do you have any idea?
Thanks
6 years, 8 months
Identity provider mapper - Attribute to role
by Matteo Restelli
Hi all,
We're trying to setup an Attribute to role mapper inside our SAML 2.0
identity provider. The problem is that our attribute contains whitespaces.
How can we map an attribute with whitespaces to a role? Currently
surrounding it with double quotes or single quotes doesn't work.
Any thoughts on that?
Thank you,
Matteo
--
Like <https://www.facebook.com/cuebiq/> I Follow
<https://twitter.com/Cuebiq>I Connect
<https://www.linkedin.com/company/cuebiq>
This email is reserved
exclusively for sending and receiving messages inherent working activities,
and is not intended nor authorized for personal use. Therefore, any
outgoing messages or incoming response messages will be treated as company
messages and will be subject to the corporate IT policy and may possibly to
be read by persons other than by the subscriber of the box. Confidential
information may be contained in this message. If you are not the address
indicated in this message, please do not copy or deliver this message to
anyone. In such case, you should notify the sender immediately and delete
the original message.
6 years, 8 months
Unable to get SAML ForceAuthn to work
by Neil Russell
Hey,
I'm trying to get ForceAuthn to work with a third party who is using Shibboleth but have been unable to get it to force re-authentication if I have an existing session. I've inspected the SAML request and ForceAuthn is being passed in the request, one issue is that Shibboleth passes ForceAuthn="1" instead of ForceAuthn="true" and the parser doesn't appear to handle that. I made a fix to the StaxParserUtil class to try and get it working but even though I can now see that parser is returning true when the ForceAuthn attribute is read I'm still not getting the expected behaviour and I'm not sure where to look next.
Any suggestions would be appreciated, am I looking in completely the wrong place?
Thanks,
Neil Russell
6 years, 8 months
connecting between rh-sso (tier 1) to rh-sso (tier 2) with identity provider
by Oren Oichman
Hello all,
can anyone help with configuring multiple domains centralization using
RH-SSO ?
I had set up 2 Red Hat IDM's with 2 different domains and deployed rh-sso
for each domain and used federation configuration to connect them.
next I setup a third rh-sso and connected then through the identity
provider.
I am getting an error of a "Invalid parameter: redirect_uri" which I
believe has something to do with the client configuration on the 2 tier
RH-SSO
the flow I am trying to achieve is :
REDHAT-IDM(x2) --> RH-SSO(x2) --> RH-SSO --> APP
so when clients are trying to connect to the app they will be able to
choose which domain they want to use for authentication
thanks in advance
*with Best Regards*
*Oren Oichman*
Red Hat - Cloud Consultant
email: oo <ooichman(a)redhat.com>ichman@red <ooichman(a)redhat.com>hat.com
<ooichman(a)redhat.com>
cell : +972-54-4959822
6 years, 8 months
SAML Assertion Expiration v4.8.0
by gambol
Hiya
Was wondering if anyone else has come across this error before. After
upgrading to v4.8.0 users are complaining about intermittent login failures
via the federated IDP
09:14:46,188 INFO [org.keycloak.saml.validators.ConditionsValidator]
(default task-434) Assertion _cc9a97f8-2a30-49e8-bca5-8eefcd49d592 expired.
09:14:46,188 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
task-434) Assertion expired.
09:14:46,188 WARN [org.keycloak.events] (default task-434)
type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=xxxx, clientId=null,
userId=null, ipAddress=xxxxxxxxx, error=invalid_saml_response
The federated IDP is backed by ADFS
Googling around the issue seems to suggest a diff on clocks; but the time
on all the worker nodes (running in kubernetes) is all fine; and the
upstream broker (ADFS) said their time is fine.
Anyone seen this before? .. even better, anyone know of a solution? :-)
Thanks in advance
Rohith
6 years, 8 months
How to add gidNumber and uidNumber when federated with openLDAP
by Shiva Prasad Thagadur Prakash
Hi Guys,
I am trying to find a way to populate the gidNumber and uidNumber when a
user is created in LDAP via Keycloak. I don’t want to use
hardcoded-attribute-mapper as it would put the same value to all the users.
Is there is a way to populate these values when a user is created at the
Keycloak side?
For “posixAccount” in LDAP these are MUST be present attributes and LDAP
throws error if these values are not present when a user is created.
Eagerly waiting for your reply.
Thanks,
6 years, 8 months
Theme caching
by Barish Yumerov
Hello,
I am running keycloack in a docker container using this iamge:
jboss/keycloak
I created a few themes, and disabled caching by editing
./standalone/configuration/standalone.xml as
<theme>
<staticMaxAge>-1</staticMaxAge>
<cacheThemes>false</cacheThemes>
<cacheTemplates>false</cacheTemplates>
...
</theme>
alghough this, I can see changes only if I restart the docker container.
I even clear all type of caches for the ralm in the admin pannel but
still I cannot see any changes :(
How I can clear cache without restarting docker container or is there
any setting that disables caching in dev mode?
Thank you in advance!
Best Regards,
B Yumerov
6 years, 8 months
