Dear KC Community,
me and my team are stuck configuring a simple SAML service provider with Keycloak for at
least half a year now.
Our use case is a simple SP initiated login and both idp and sp initiated logout. We
deploy on wildfly10 and we tried to use the wildfly-saml-adapter only, since keycloak
server as a broker forces a first login flow, which we tried to skip. Unfortunately we
couldn't get the keycloak login module get triggered and therefore we cannot obtain a
login on ejb tier. We made a workaround for this and managed to finally login. After that,
we found out, that the logout does not work as expected. HttpRequest.logout() and setting
request param to ?GLO=true does not work alone, since we have to combine it to get the
logout-request sent to the external idp, but then we keep the session cookie in the sp
alive and we cannot process the success message from the idp.
So we finally decided to try out the keycloak server, since we might be missing something.
Unfortunately we just can't get it to work.
We are using nginx as a reverse proxy and configured the following:
location ^~ /auth/ {
proxy_pass
http://127.0.0.1:8180/auth;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
We also configured standalone.xml of keycloak as follows:
<subsystem xmlns="urn:jboss:domain:undertow:7.0"
default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default"
default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default"
proxy-address-forwarding="true" socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https"
proxy-address-forwarding="true" security-realm="ApplicationRealm"
enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
But we are stuck, since we cannot access the management/admin console of keycloak over the
nginx, since it redirects to localhost:8180/auth/admin (we are using a port offset)
Why does it do this? It might be the auth-server-url configuration of the master realm:
{"realm":"master","auth-server-url":"http://localhost:8180/auth","ssl-required":"external","resource":"security-admin-console","public-client":true,"confidential-port":0}
When I access the console over ssh tunnel, the redirect works as expected (to
localhost:8181)
But how could we change that confusing behaviour? We really need to login over the proxy,
since we need to configure an IDP which redirect-uri binds to the uri of the request in
the browser (which is really confusing too).
Please help us, we decided to use keycloak and we really had a lot of trouble with it.
Regards,
[Logo]
Manuel Waltschek BSc.
manuel.waltschek@prisma-solutions.at<mailto:manuel.waltschek@prisma-solutions.at>
https://www.prisma-solutions.com
PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt