5:25 a.m.
Yes, sure.
If you need to just override themes, you may not need to override
authentication flow. But if you need to override UsernamePassword
Authenticator and change the implementation, so that it doesn't allow to
login with username/password at all, then you will need to add this
authenticator implementation into new browser authentication flow. Maybe
instead of overriding UsernamePassword authenticator, it's easier to
create new implementation of authenticator, which will just show the
Freemarker form with links to brokers (No username/password). In that
case you will also need to create new authentication flow and add that
new authenticator implementation to it.
Marek
On 25/06/18 08:57, Corbetta, Francesco wrote:
Hello
What about changing the browser authentication flow?
Best
Francesco
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Marek Posolda
Sent: 25 June 2018 08:49
To: mj <lists(a)merit.unu.edu>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] brokered-login only
It's possible to remove username/password fields from login screen by doing custom
theme and override freemarker template for login screen.
You may need to remove tab "password" from account management as well so that
users are not able to set their password here. This can be also achieved through theme.
Thing is, that after changing themes, users will be still able to login with their
username/passwords if they "simulate" sending the same HTTP request, which login
screen is sending (they can also simulate changing their password in account management by
HTTP request even if "password"
tab is not in the UI). So if you expect to have malicious users, which would try to do
something like this and you want to be safe and avoid this, you may need to
change/override the UsernamePassword Authenticator too and avoid authentication of users
with username/password. Then login with username/password will be impossible even if user
is trying to "simulate" the request like this.
Marek
On 24/06/18 14:30, mj wrote:
> Hi,
>
> Is there a way to create a realm in keycloak with a few brokered IdP's,
> *without* the local username/password fields on the login screen,
> but
> *only* a list of external IdP's to choose from?
>
> Thanks!
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:38 a.m.
New subject: brokered-login only
You will need auto-linking of IDP to internal account as well, so they won't
be asked for their password in order to approve linking their Keycloak
account to the IDP.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Marek Posolda
Sent: Monday, June 25, 2018 5:25 AM
To: Corbetta, Francesco <fco(a)iec.ch>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] brokered-login only
Yes, sure.
If you need to just override themes, you may not need to override
authentication flow. But if you need to override UsernamePassword
Authenticator and change the implementation, so that it doesn't allow to
login with username/password at all, then you will need to add this
authenticator implementation into new browser authentication flow. Maybe
instead of overriding UsernamePassword authenticator, it's easier to create
new implementation of authenticator, which will just show the Freemarker
form with links to brokers (No username/password). In that case you will
also need to create new authentication flow and add that new authenticator
implementation to it.
Marek
On 25/06/18 08:57, Corbetta, Francesco wrote:
Hello
What about changing the browser authentication flow?
Best
Francesco
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
<keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Marek Posolda
Sent: 25 June 2018 08:49
To: mj <lists(a)merit.unu.edu>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] brokered-login only
It's possible to remove username/password fields from login screen by
doing
custom theme and override freemarker template for login screen.
You may need to remove tab "password" from account management as well so
that users are not able to set their password here. This can be also
achieved through theme.
Thing is, that after changing themes, users will be still able to login
with their
username/passwords if they "simulate" sending the same HTTP
request, which login screen is sending (they can also simulate changing
their password in account management by HTTP request even if "password"
tab is not in the UI). So if you expect to have malicious users,
which
would try to do something like this and you want to be safe and avoid this,
you may need to change/override the UsernamePassword Authenticator too and
avoid authentication of users with username/password. Then login with
username/password will be impossible even if user is trying to "simulate"
the request like this.
Marek
On 24/06/18 14:30, mj wrote:
> Hi,
>
> Is there a way to create a realm in keycloak with a few brokered IdP's,
> *without* the local username/password fields on the login screen,
> but
> *only* a list of external IdP's to choose from?
>
> Thanks!
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:30 a.m.
New subject: brokered-login only
Hi,
ok, that seems like a lot of things to keep into consideration for
(what I guess) would be the most basic use case:
create a dedicated 'brokering' realm, where users can only logon
'brokered'.
I mean, to combine 'local' and brokered users in the same realm would be
more unlikely and advanced..right?
(in our case, for example: we have setup a keycloak realm for our
ldap-federated users, and now want to setup a second realm to facilitate
SSO between our users and those of some other remote networks)
What I am saying: Isn't it more likely to have a brokered-only realm(s),
plus other realms with local users?
So shouldn't it be 'normal standard behaviour' to disallow local logons
for brokered accounts?
Or am I missing something here..? From what I see, you would normally
want to rely on the remote IdP's data for authentication, and (almost?)
never on a local administrative 'ghost copy' of it?
Probably there is something I am missing though...?
MJ
On 25-6-2018 15:38, pkboucher801(a)gmail.com wrote:
You will need auto-linking of IDP to internal account as well, so
they won't
be asked for their password in order to approve linking their Keycloak
account to the IDP.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Marek Posolda
Sent: Monday, June 25, 2018 5:25 AM
To: Corbetta, Francesco <fco(a)iec.ch>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] brokered-login only
Yes, sure.
If you need to just override themes, you may not need to override
authentication flow. But if you need to override UsernamePassword
Authenticator and change the implementation, so that it doesn't allow to
login with username/password at all, then you will need to add this
authenticator implementation into new browser authentication flow. Maybe
instead of overriding UsernamePassword authenticator, it's easier to create
new implementation of authenticator, which will just show the Freemarker
form with links to brokers (No username/password). In that case you will
also need to create new authentication flow and add that new authenticator
implementation to it.
Marek
On 25/06/18 08:57, Corbetta, Francesco wrote:
> Hello
>
> What about changing the browser authentication flow?
>
> Best
>
> Francesco
>
> -----Original Message-----
> From: keycloak-user-bounces(a)lists.jboss.org
> <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Marek Posolda
> Sent: 25 June 2018 08:49
> To: mj <lists(a)merit.unu.edu>; keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] brokered-login only
>
> It's possible to remove username/password fields from login screen by
doing custom theme and override freemarker template for login screen.
>
> You may need to remove tab "password" from account management as well so
that users are not able to set their password here. This can be also
achieved through theme.
>
> Thing is, that after changing themes, users will be still able to login
with their username/passwords if they "simulate" sending the same HTTP
request, which login screen is sending (they can also simulate changing
their password in account management by HTTP request even if "password"
> tab is not in the UI). So if you expect to have malicious users, which
would try to do something like this and you want to be safe and avoid this,
you may need to change/override the UsernamePassword Authenticator too and
avoid authentication of users with username/password. Then login with
username/password will be impossible even if user is trying to "simulate"
the request like this.
>
> Marek
>
>
> On 24/06/18 14:30, mj wrote:
>> Hi,
>>
>> Is there a way to create a realm in keycloak with a few brokered IdP's,
>> *without* the local username/password fields on the login screen,
>> but
>> *only* a list of external IdP's to choose from?
>>
>> Thanks!
>>
>> MJ
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:49 a.m.
New subject: brokered-login only
Hi Peter,
On 25-6-2018 15:38, pkboucher801(a)gmail.com wrote:
You will need auto-linking of IDP to internal account as well, so
they won't
be asked for their password in order to approve linking their Keycloak
account to the IDP.
Regarding this auto-linking: I understand what you mean. Are you talking
about this:
https://github.com/ohioit/keycloak-link-idp-with-user
Or is this functionality implemented in keycloak nowadays? (since the
plugin above appears to be unmaintained...)
MJ
5:23 a.m.
New subject: brokered-login only
Not yet in Keycloak OOTB. But at least JIRA created -
https://issues.jboss.org/browse/KEYCLOAK-7720 ;)
Marek
On 26/06/18 09:49, lists wrote:
Hi Peter,
On 25-6-2018 15:38, pkboucher801(a)gmail.com wrote:
> You will need auto-linking of IDP to internal account as well, so they won't
> be asked for their password in order to approve linking their Keycloak
> account to the IDP.
Regarding this auto-linking: I understand what you mean. Are you talking
about this:
https://github.com/ohioit/keycloak-link-idp-with-user
Or is this functionality implemented in keycloak nowadays? (since the
plugin above appears to be unmaintained...)
MJ
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:07 p.m.
New subject: brokered-login only
Hi MJ,
Not that I'm not affiliated with
https://github.com/ohioit/keycloak-link-idp-with-user . You could use it, but you would
have to make some tweaks to get it to work with the newer Keycloak.
Note also that I'm not affiliated with Keycloak, either, but the question of whether
to just tweak the theme to remove the username and password, or do what Marek describes in
the quoted text below, depends on your use case, in my opinion.
Is it just for convenience and reduced confusion that you want to prevent showing the
username and password form to the users and show them instead only buttons for the
available brokered login methods? If so, then a theme change would probably be fine.
Would it be a violation of your security policy if a hacker users used fiddler or somesuch
to tweak what the browser sends in order to login anyway with a username and password,
even though you didn't include that form on your login Freemarker page? Then
you'll probably want to change the flow itself as Marek suggests, to block that from
happening.
If you need to just override themes, you may not need to override
authentication flow. But if you need to override UsernamePassword
Authenticator and change the implementation, so that it doesn't allow
to login with username/password at all, then you will need to add this
authenticator implementation into new browser authentication flow.
Maybe instead of overriding UsernamePassword authenticator, it's
easier to create new implementation of authenticator, which will just
show the Freemarker form with links to brokers (No username/password).
In that case you will also need to create new authentication flow and
add that new authenticator implementation to it.
Marek
Regards,
Peter
-----Original Message-----
From: lists [mailto:lists@merit.unu.edu]
Sent: Tuesday, June 26, 2018 3:49 AM
To: keycloak-user(a)lists.jboss.org
Cc: pkboucher801(a)gmail.com
Subject: Re: [keycloak-user] brokered-login only
Hi Peter,
On 25-6-2018 15:38, pkboucher801(a)gmail.com wrote:
You will need auto-linking of IDP to internal account as well, so
they
won't be asked for their password in order to approve linking their
Keycloak account to the IDP.
Regarding this auto-linking: I understand what you mean. Are you talking about this:
https://github.com/ohioit/keycloak-link-idp-with-user
Or is this functionality implemented in keycloak nowadays? (since the plugin above appears
to be unmaintained...)
MJ
4:20 a.m.
New subject: brokered-login only
Hi Peter,
On 06/27/2018 08:07 PM, pkboucher801(a)gmail.com wrote:
Is it just for convenience and reduced confusion that you want to
prevent showing the username and password form to the users and show
them instead only buttons for the available brokered login methods?
If so, then a theme change would probably be fine.
Yes, that's the reason.
Would it be a violation of your security policy if a hacker users
used fiddler or somesuch to tweak what the browser sends in order to
login anyway with a username and password, even though you didn't
include that form on your login Freemarker page? Then you'll
probably want to change the flow itself as Marek suggests, to block
that from happening.That was not our primary concern.
Thanks for all the pointers in this thread. We will edit the template.
However.. We still feel that a checkbox like "Disallow direct user/pass
logins for this realm" would be a good feature. :-)
MJ
2127
days inactive
2130
days old
6 comments
4 participants
participants (4)
-
lists -
Marek Posolda -
mj
-
pkboucher801@gmail.com