Dmitrij,
I'm continuing the tests to evaluate the solution, I have a question:
I used identity broker mappers to assign special roles to users from the realm master.
However, on the realm master, I have two types of users, technicians and external
technicians.
Is it possible to choose a different role based on the fact that the user belongs to a
different group (technical group and external technicians)?
I tried using the External Role to Role mapper type but I do not understand how to do it.
Obviously, using the mapper type hardcoded role I can create roles for users, but I can
not distinguish the two different types.
Thanks for the help :)
Mattia Bello
Developer
Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile (+39) 340 36 07 937
www.horsa.it
________________________________________
Da: Mattia Bello
Inviato: martedì 30 ottobre 2018 13.20
A: Dmitry Telegin; keycloak-user(a)lists.jboss.org
Oggetto: R: R: [keycloak-user] Need to log in to all realms with unique admin users
Dmitrij,
thanks for your detailed explanations, I followed them and managed to use the
broker.
However, I could not use "Automatically Link Brokered Account". I did not
understand what I have to do to enable it.
First of all I increased the version of the project dependency and the keycloak server to
version 4.5.0, so as to have all the features available.
Here are my doubts after having said this solution:
1. If you are logged in to the realm master, via the admin console site, when you click on
the broker's link, to login the client application with a realm master user, the realm
master login is not displayed, because it is used account that is logged in at that time.
This implies the limitation of NOT using simultaneously the admin console site and the
client application.
2. After logging in, using the broker's link on the client application, if I try to
log out, the latter is done on the client application but if I log in to the admin console
site it detects my last login. It is as if NOT logged out by all clinets (client
application and site admin console)
3. Once logged in, using the broker's link on the client application, the user is
duplicated from the realm master to the client application realm. So, I have a question:
For the next accesses, will I always have to use the link or will I have to insert only
username and password in the client application login form? Any changes to the user on the
realm master will be automatically propagated on the duplicates of the other realms? In
which cases, only when the broker link is used?
4. Is there not a way to share only the users' databases, without having to have
fifteen duplications on the realms other than the master one? For example, as a User
Federation.
5. Are there any other possible solutions? Or do you have any suggestion to propose?
Thank you
Mattia Bello
Developer
Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile (+39) 340 36 07 937
www.horsa.it
________________________________________
Da: Dmitry Telegin [dt(a)acutus.pro]
Inviato: martedì 30 ottobre 2018 5.18
A: Mattia Bello; keycloak-user(a)lists.jboss.org
Oggetto: Re: R: [keycloak-user] Need to log in to all realms with unique admin users
Ciao Mattia,
Let's assume your realm (non-master) is named "foo". Here are the steps:
1. In admin console, go to master realm -> clients -> broker -> Credentials, copy
the secret;
2. go to foo realm -> Identity Providers, add Keycloak OpenID Connect provider, give it
an alias (like "master");
3. set Client ID to "broker" (w/o quotes) and paste the Client Secret;
4. scroll down to "Import from URL", paste the following:
https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Fre...
and click Import. The necessary fields will be filled in automatically;
5. scroll up, copy Redirect URI (should be like
https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Fre...
);
6. go to master realm -> clients -> broker, paste the URI to "Valid Redirect
URIs", click save.
After that, your users will be able authenticate on non-master realms via the master
realm. Upon the first successful login, the user will be presented with the Update Account
Information form. If you want to bypass that, you can enable identity auto-linking.
For Keycloak 4.5.0, it's out of the box - just use "Automatically Link Brokered
Account" authenticator in your first broker login flow.
For Kyecloak <4.5.0, you can use this:
https://urlsand.esvalabs.com/?u=https%3A%2F%2Fgithub.com%2Fohioit%2Fkeycl...
Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-10-29 at 15:09 +0000, Mattia Bello wrote:
Dmitry,
> i found that information in master realm settings ->>
OpenID
Endpoint Configuration link:
th/realms/master",
realms/master/protocol/openid-connect/auth",
calhost:8180/auth/realms/master/protocol/openid-connect/token",
> > "token_i
ntrospection_endpoint":"
https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Fre...
ol/openid-connect/token/introspect",
st:8180/auth/realms/master/protocol/openid-connect/userinfo",
> > "end_sessi
on_endpoint":"
https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Fre...
connect/logout",
otocol/openid-connect/certs",
180/auth/realms/master/protocol/openid-connect/login-status-
iframe.html",
>
"grant_types_supported":["authorization_code",
"implicit",>
"refresh_token", "password",
"client_credentials"],
> > "response_types_supp
orted":["code","none","id_token","token","id_token
token","code>
id_token","code token","code id_token token"],
> "subject_types_supported"
:["public","pairwise"],
>
"id_token_signing_alg_values_supported":["RS256"
],
"userinfo_signing_alg_values_supported":["RS256"],
> "request_object_sig
ning_alg_values_supported":["none","RS256"],
> "response_modes_supported":
["query","fragment","form_post"],
ost:8180/auth/realms/master/clients-registrations/openid-connect",
> > "toke
n_endpoint_auth_methods_supported":["private_key_jwt","client_secret_ba
sic", "client_secret_post","client_secret_jwt"],
> "token_endpoint_auth_si
gning_alg_values_supported":["RS256"],
>
"claims_supported":["sub","iss","
auth_time","name","given_name",
>
"family_name","preferred_username","emai
l"],
>
"claim_types_supported":["normal"],"claims_parameter_supported":fal
se,
>
"scopes_supported":["openid","address","email","offline_access","pho
ne","profile"],
"request_parameter_supported":true,
> "request_uri_paramete
r_supported":true,
"code_challenge_methods_supported":["plain","S256"],
> "
tls_client_certificate_bound_access_tokens":true
}
> I used it to compile>
the form, as you can see from the image attached.
> But, when i click on>
the TECNICO link inl ogin form, the keycloak page
return this message:
We're sorry...
Invalid parameter: redirect_uri
« Back to Application
> and>
server logs are:
task-21) type=LOGIN_ERROR, realmId=master, clientId=risolvo-app,>
userId=null, ipAddress=127.0.0.1, error=invalid_redirect_uri,>
redirect_uri=
https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Fre...
oidc/endpoint
What am i doing wrong?
Thank you
Inviato da Posta per Windows 10
Da: Dmitry Telegin
Inviato: venerdì 26 ottobre 2018 03:29
A: Mattia Bello; keycloak-user(a)lists.jboss.org
Oggetto: Re: [keycloak-user] Need to log in to all realms with unique admin users
Mattia,
Thanks for your explanation, the problem is clear now.
I think you can solve it with the help of identity brokering [1]. For each non-master
realm, you will have to configure brokering to master. After that, a badge will appear on
the login screen, and after clicking it your users will be able to authenticate with their
master realm credentials.
If you're ok with this additional step, this could be an easy solution.
[1]
https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Fl...
Dmitry
On Thu, 2018-10-25 at 21:01 +0000, Mattia Bello wrote:
> Sorry,
> I probably did not explain well.
> I have a client application that is accessible from all realms.
> I would like with a realm master user to be able to access the client application of
each realm, without creating users on each realm.
> I tried this but when I log in to the client application with the user created in
the realm master the log in fails because it says that the user does not exist.
> Reading the documentation it is explained that the users created in the realm master
are used to manage the realm as admin, so you can create new realm and users and groups
within the various realms, but it is not specified that with this user you can access a
client application defined in realms.
> Is it possible to access to clients of the various realms with the realm master
users, without duplicating them in every realm, or not?
> Thank you
>
> Get Outlook for Android
>
>
>
>
> On Thu, Oct 25, 2018 at 10:07 PM +0200, "Dmitry Telegin"
<dt(a)acutus.pro> wrote:
>
> > Hello Mattia, answers inline,
> >
> > On Thu, 2018-10-25 at 13:34 +0000, Mattia Bello wrote:
> > > We have this situation:
> > >
> > > master realm -> used to manage other realms
> > >
> > > realm1, realm2, realm3, .. -> are retailers and contain companies
> > >
> > > for each realm we have group1, group2, group3, .. -> are companies and
contain a group of users
> > >
> > > we have to see all the retailers (realms), the companies (groups) and the
users
> > >
> > > How can I do it?
> > >
> > > Can i create a master realm user and use it to access all the other
realms?
> >
> > Yes you can. In fact, there is already such a user - it's admin that
> > you've created on the first run. If you want more users with such an
> > access in master realm, grant them "admin" realm role. If you look
into
> > "admin" role details, you'll see that it automatically includes
all the
> > client roles of *-realm clients, that's how it works under the hood.
> >
> > If you don't want to grant that powerful admin role, go to user -> Role
> > mappings and assign the necessary client roles from the *-realm
> > clients. The user will get access to the admin functions for that realm(s).
> >
> > >
> > > Or i have to replicate the admin user in master realm into all other realm
to use it to log in in that realm?
> >
> > This is possible too. Create a user in the target realm, go to Role
> > mappings and assign the necessary roles from the realm-management
> > client.
> >
> > Good luck,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info(a)acutus.pro
> >
> > >
> > > Thank to all
> > >
> > >
> > >
> > > Mattia Bello
> > > Developer
> > >
> > > > > > > [Descrizione: cid:image001.jpg@01CEB308.188717E0]
> > > Horsa S.p.A.
> > > Via Cadorna, 67
> > > Vimodrone (MI)
> > > Mobile (+39) 340 36 07 937
> >
> https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it&e=ab6f9afd&h=772f26c6&f=n&p=y
<
https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it%2F&e=ab6f9a...>;
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> >
> https://urlsand.esvalabs.com/?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&e=ab6f9afd&h=a4102473&f=n&p=y
> >