Ciao Mattia,
Let's assume your realm (non-master) is named "foo". Here are the steps:
1. In admin console, go to master realm -> clients -> broker -> Credentials, copy
the secret;
2. go to foo realm -> Identity Providers, add Keycloak OpenID Connect provider, give it
an alias (like "master");
3. set Client ID to "broker" (w/o quotes) and paste the Client Secret;
4. scroll down to "Import from URL", paste the following:
http://localhost:8180/auth/realms/master/.well-known/openid-configuration
and click Import. The necessary fields will be filled in automatically;
5. scroll up, copy Redirect URI (should be like
http://localhost:8180/auth/realms/foo/broker/master/endpoint);
6. go to master realm -> clients -> broker, paste the URI to "Valid Redirect
URIs", click save.
After that, your users will be able authenticate on non-master realms via the master
realm. Upon the first successful login, the user will be presented with the Update Account
Information form. If you want to bypass that, you can enable identity auto-linking.
For Keycloak 4.5.0, it's out of the box - just use "Automatically Link Brokered
Account" authenticator in your first broker login flow.
For Kyecloak <4.5.0, you can use this:
https://github.com/ohioit/keycloak-link-idp-with-user
Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-10-29 at 15:09 +0000, Mattia Bello wrote:
Dmitry,
> i found that information in master realm settings ->>
OpenID
Endpoint Configuration link:
> {"issuer":"http://localhost:8180/au
th/realms/master",
>
"authorization_endpoint":"http://localhost:8180/auth/
realms/master/protocol/openid-connect/auth",
> "token_endpoint":"http://lo
calhost:8180/auth/realms/master/protocol/openid-connect/token",
> > "token_i
ntrospection_endpoint":"http://localhost:8180/auth/realms/master/protoc
ol/openid-connect/token/introspect",
> "userinfo_endpoint":"http://localho
st:8180/auth/realms/master/protocol/openid-connect/userinfo",
> > "end_sessi
on_endpoint":"http://localhost:8180/auth/realms/master/protocol/openid-
connect/logout",
>
"jwks_uri":"http://localhost:8180/auth/realms/master/pr
otocol/openid-connect/certs",
> > "check_session_iframe":"http://localhost:8
180/auth/realms/master/protocol/openid-connect/login-status-
iframe.html",
>
"grant_types_supported":["authorization_code",
"implicit",>
"refresh_token", "password",
"client_credentials"],
> > "response_types_supp
orted":["code","none","id_token","token","id_token
token","code>
id_token","code token","code id_token token"],
> "subject_types_supported"
:["public","pairwise"],
>
"id_token_signing_alg_values_supported":["RS256"
],
"userinfo_signing_alg_values_supported":["RS256"],
> "request_object_sig
ning_alg_values_supported":["none","RS256"],
> "response_modes_supported":
["query","fragment","form_post"],
> "registration_endpoint":"http://localh
ost:8180/auth/realms/master/clients-registrations/openid-connect",
> > "toke
n_endpoint_auth_methods_supported":["private_key_jwt","client_secret_ba
sic", "client_secret_post","client_secret_jwt"],
> "token_endpoint_auth_si
gning_alg_values_supported":["RS256"],
>
"claims_supported":["sub","iss","
auth_time","name","given_name",
>
"family_name","preferred_username","emai
l"],
>
"claim_types_supported":["normal"],"claims_parameter_supported":fal
se,
>
"scopes_supported":["openid","address","email","offline_access","pho
ne","profile"],
"request_parameter_supported":true,
> "request_uri_paramete
r_supported":true,
"code_challenge_methods_supported":["plain","S256"],
> "
tls_client_certificate_bound_access_tokens":true
}
> I used it to compile>
the form, as you can see from the image attached.
> But, when i click on>
the TECNICO link inl ogin form, the keycloak page
return this message:
We're sorry...
Invalid parameter: redirect_uri
« Back to Application
> and>
server logs are:
> > > > 15:57:09,193 WARN [org.keycloak.events] (default>
task-21)
type=LOGIN_ERROR, realmId=master, clientId=risolvo-app,>
userId=null, ipAddress=127.0.0.1, error=invalid_redirect_uri,>
redirect_uri=http://localhost:8180/auth/realms/default/broker/master-
oidc/endpoint
What am i doing wrong?
Thank you
Inviato da Posta per Windows 10
Da: Dmitry Telegin
Inviato: venerdì 26 ottobre 2018 03:29
A: Mattia Bello; keycloak-user(a)lists.jboss.org
Oggetto: Re: [keycloak-user] Need to log in to all realms with unique admin users
Mattia,
Thanks for your explanation, the problem is clear now.
I think you can solve it with the help of identity brokering [1]. For each non-master
realm, you will have to configure brokering to master. After that, a badge will appear on
the login screen, and after clicking it your users will be able to authenticate with their
master realm credentials.
If you're ok with this additional step, this could be an easy solution.
[1]
https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Fl...
Dmitry
On Thu, 2018-10-25 at 21:01 +0000, Mattia Bello wrote:
> Sorry,
> I probably did not explain well.
> I have a client application that is accessible from all realms.
> I would like with a realm master user to be able to access the client application of
each realm, without creating users on each realm.
> I tried this but when I log in to the client application with the user created in
the realm master the log in fails because it says that the user does not exist.
> Reading the documentation it is explained that the users created in the realm master
are used to manage the realm as admin, so you can create new realm and users and groups
within the various realms, but it is not specified that with this user you can access a
client application defined in realms.
> Is it possible to access to clients of the various realms with the realm master
users, without duplicating them in every realm, or not?
> Thank you
>
> Get Outlook for Android
>
>
>
>
> On Thu, Oct 25, 2018 at 10:07 PM +0200, "Dmitry Telegin"
<dt(a)acutus.pro> wrote:
>
> > Hello Mattia, answers inline,
> >
> > On Thu, 2018-10-25 at 13:34 +0000, Mattia Bello wrote:
> > > We have this situation:
> > >
> > > master realm -> used to manage other realms
> > >
> > > realm1, realm2, realm3, .. -> are retailers and contain companies
> > >
> > > for each realm we have group1, group2, group3, .. -> are companies and
contain a group of users
> > >
> > > we have to see all the retailers (realms), the companies (groups) and the
users
> > >
> > > How can I do it?
> > >
> > > Can i create a master realm user and use it to access all the other
realms?
> >
> > Yes you can. In fact, there is already such a user - it's admin that
> > you've created on the first run. If you want more users with such an
> > access in master realm, grant them "admin" realm role. If you look
into
> > "admin" role details, you'll see that it automatically includes
all the
> > client roles of *-realm clients, that's how it works under the hood.
> >
> > If you don't want to grant that powerful admin role, go to user -> Role
> > mappings and assign the necessary client roles from the *-realm
> > clients. The user will get access to the admin functions for that realm(s).
> >
> > >
> > > Or i have to replicate the admin user in master realm into all other realm
to use it to log in in that realm?
> >
> > This is possible too. Create a user in the target realm, go to Role
> > mappings and assign the necessary roles from the realm-management
> > client.
> >
> > Good luck,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info(a)acutus.pro
> >
> > >
> > > Thank to all
> > >
> > >
> > >
> > > Mattia Bello
> > > Developer
> > >
> > > > > > > [Descrizione: cid:image001.jpg@01CEB308.188717E0]
> > > Horsa S.p.A.
> > > Via Cadorna, 67
> > > Vimodrone (MI)
> > > Mobile (+39) 340 36 07 937
> >
> https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it&e=ab6f9afd&h=772f26c6&f=n&p=y
<
https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it%2F&e=ab6f9a...>;
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> >
> https://urlsand.esvalabs.com/?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&e=ab6f9afd&h=a4102473&f=n&p=y
> >