I looked into source code and it looks like ForceAuthn is not supported .
Even isPassive (equivalent of prompt=none) looks like unsupported in
Keycloak SAML protocol endpoint.
Will do JIRAs for all these things, and maybe implement something ;-)
Vl.
On 12.11.2015 16:09, Stian Thorgersen wrote:
Dunno ;)
On 12 November 2015 at 15:00, Vlastimil Elias <velias(a)redhat.com
<mailto:velias@redhat.com>> wrote:
BTW even SAML2 protocol has ForceAuthn="true" attribute in the
AuthnRequest. Is it supported in Keycloak?
Vl.
On 12.11.2015 14:39, Stian Thorgersen wrote:
>
>
> On 12 November 2015 at 14:15, Vlastimil Elias <velias(a)redhat.com
> <mailto:velias@redhat.com>> wrote:
>
> Hi,
>
> I'd like to use long session authentication mechanism known
> from many
> sites like google. facebook, linked in etc.
> It is about really long user SSO sessions (eg. weeks or even
> months)
> with reauthentication for important actions when last
> authentication
> timestamp is older than some limit.
>
> Is this somehow possible with current Keycloak server and
> Keycloak adapters?
>
> I see few subquestions in this problem for our use:
>
> *****
> open-id connect protocol defines few auth request parameters
> to support
> this use case, mainly max_age or prompt=login. Are they correctly
> implemented in Keycloak server?
>
>
> We don't have support for max_age and we only support prompt=none
> so these would have to be added
>
>
>
>
> *****
> Wildfly/EAP adapter - is it possible and is there some
> example how to
> use "reauth if auth is older than 30min" action in Java app
> secured by
> this adapter? Or is info about last auth timestamp somehow
> available in
> the app?
>
>
> We don't set auth_time claim ATM so answer is no
>
>
>
>
> *****
> Keycloak user account application itself - it is part of the
> Keycloak
> server, but it contains sensitive actions which typically require
> reathentication in this long session scheme (password change,
> email
> change, ...). Is it somehow possible to configure Keycloak to
> force
> timeout reauth for this app?
>
>
> Not at the moment - but if we add what you want it would also
> make sense to add that. Would need to be configurable through the
> admin console. Would also be nice to have the same for the admin
> console itself.
>
>
>
> Thanks in advance
>
> Vl.
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team