6:43 a.m.
Hi,
just wondering if we could hide the default page
https://keycloak.mydomain.com/auth because tat prompts you to log in to the
master realm which we don't want visible.
I could block that page outright but sometimes we might need to log in to
the master realm for user admin.
*Kevin Thorpe*
VP Enterprise Platform
www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
*T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20
7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344
<%2B44%20%280%29808%20204%200344> *
*150 Buckingham Palace Road, London, SW1W 9TR, UK*
*SAVE PAPER - THINK BEFORE YOU PRINT!*
____________________________________________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
6:52 a.m.
Please let me know if you come up with a solution. We would actually like to limit access
to this page to inside the firewall. No external access.
Thanks
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Kevin Thorpe
Sent: Wednesday, March 30, 2016 7:43 AM
To: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: [keycloak-user] Can we change the default realm on Keycloak?
Hi,
just wondering if we could hide the default page https://keycloak.mydomain.com/auth
because tat prompts you to log in to the master realm which we don't want visible.
I could block that page outright but sometimes we might need to log in to the master realm
for user admin.
Kevin Thorpe
VP Enterprise Platform
[http://i.imgur.com/8UeC1YO.png]
www.p-i.net<http://www.p-i.net/> | @PI_150<https://twitter.com/@PI_150>
T: +44 (0)20 3005 6750<tel:%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730
2635<tel:%2B44%280%2920%207730%202635> | T: +44 (0)808 204
0344<tel:%2B44%20%280%29808%20204%200344>
150 Buckingham Palace Road, London, SW1W 9TR, UK
[https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png]
[https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png]
[https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png]
[https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png]
SAVE PAPER - THINK BEFORE YOU PRINT!
____________________________________________________________________
This email and any files transmitted with it are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error please notify the system manager. This message contains confidential
information and is intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail. Please notify the
sender immediately by e-mail if you have received this e-mail by mistake and delete this
e-mail from your system. If you are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in reliance on the contents of this
information is strictly prohibited.
6:53 a.m.
Well I can hard-block because we front everything with an Nginx instance.
Just seems dirty though.
*Kevin Thorpe*
VP Enterprise Platform
www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
*T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20
7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344
<%2B44%20%280%29808%20204%200344> *
*150 Buckingham Palace Road, London, SW1W 9TR, UK*
*SAVE PAPER - THINK BEFORE YOU PRINT!*
____________________________________________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
On 30 March 2016 at 12:52, Ben Bazian <bbazian(a)mbopartners.com> wrote:
Please let me know if you come up with a solution. We would actually
like
to limit access to this page to inside the firewall. No external access.
Thanks
*From:* keycloak-user-bounces(a)lists.jboss.org [mailto:
keycloak-user-bounces(a)lists.jboss.org] *On Behalf Of *Kevin Thorpe
*Sent:* Wednesday, March 30, 2016 7:43 AM
*To:* keycloak-user <keycloak-user(a)lists.jboss.org>
*Subject:* [keycloak-user] Can we change the default realm on Keycloak?
Hi,
just wondering if we could hide the default page
https://keycloak.mydomain.com/auth because tat prompts you to log in to
the master realm which we don't want visible.
I could block that page outright but sometimes we might need to log in to
the master realm for user admin.
*Kevin Thorpe*
VP Enterprise Platform
www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
*T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20
7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344
<%2B44%20%280%29808%20204%200344> *
*150 Buckingham Palace Road, London, SW1W 9TR, UK*
*SAVE PAPER - THINK BEFORE YOU PRINT!*
____________________________________________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
8:17 a.m.
Hi,
you can configure welcome theme in keycloak-server.json - See docs
http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html...
. Then in your theme you can override the welcome file and hide link to
admin console from it.
For access admin console just from local addresses, we don't support it
AFAIK, but you can achieve it with usage of some custom proxy/filter,
which will reject request coming from external IP address.
For the future, we plan to improve authorization/permissions for admin
console. As part of this, it will be possible to create authorization
rule to limit access just for some IP addresses. Not sure when this is
available though...
Marek
On 30/03/16 13:53, Kevin Thorpe wrote:
Well I can hard-block because we front everything with an Nginx
instance. Just seems dirty though.
*Kevin Thorpe*
VP Enterprise Platform
www.p-i.net <http://www.p-i.net/> | @PI_150 <https://twitter.com/@PI_150>
*T: +44 (0)20 3005 6750 <tel:%2B44%20%280%2920%203005%206750> | F:
+44(0)20 7730 2635 <tel:%2B44%280%2920%207730%202635> | T: +44 (0)808
204 0344 <tel:%2B44%20%280%29808%20204%200344> *
*150 Buckingham Palace Road, London, SW1W 9TR, UK*
*SAVE PAPER - THINK BEFORE YOU PRINT!*
____________________________________________________________________
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager. This message contains confidential information and
is intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system. If you
are not the intended recipient you are notified that disclosing,
copying, distributing or taking any action in reliance on the contents
of this information is strictly prohibited.
On 30 March 2016 at 12:52, Ben Bazian <bbazian(a)mbopartners.com
<mailto:bbazian@mbopartners.com>> wrote:
Please let me know if you come up with a solution. We would
actually like to limit access to this page to inside the
firewall. No external access.
Thanks
*From:*keycloak-user-bounces@lists.jboss.org
<mailto:keycloak-user-bounces@lists.jboss.org>
[mailto:keycloak-user-bounces@lists.jboss.org
<mailto:keycloak-user-bounces@lists.jboss.org>] *On Behalf Of
*Kevin Thorpe
*Sent:* Wednesday, March 30, 2016 7:43 AM
*To:* keycloak-user <keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>>
*Subject:* [keycloak-user] Can we change the default realm on
Keycloak?
Hi,
just wondering if we could hide the default page
https://keycloak.mydomain.com/auth
<https://keycloak.mydomain.com/auth> because tat prompts you to
log in to the master realm which we don't want visible.
I could block that page outright but sometimes we might need to
log in to the master realm for user admin.
*Kevin Thorpe*
VP Enterprise Platform
www.p-i.net <http://www.p-i.net/> | @PI_150
<https://twitter.com/@PI_150>
*T: +44 (0)20 3005 6750 <tel:%2B44%20%280%2920%203005%206750> |
F: +44(0)20 7730 2635 <tel:%2B44%280%2920%207730%202635> | T: +44
(0)808 204 0344 <tel:%2B44%20%280%29808%20204%200344> *
*150 Buckingham Palace Road, London, SW1W 9TR, UK*
*SAVE PAPER - THINK BEFORE YOU PRINT!*
____________________________________________________________________
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error
please notify the system manager. This message contains
confidential information and is intended only for the individual
named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the
sender immediately by e-mail if you have received this e-mail by
mistake and delete this e-mail from your system. If you are not
the intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of
this information is strictly prohibited.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:26 a.m.
Using Nginx to stop obvious access to master realm:
Well I can hard-block with:
location =/auth/ { return 404; }
I *should* be able to do:
location =/auth/ {
allow 10.20.0.0/16; # all our LAN + VPN
range
deny all;
}
but it's not working when I test it.
You'd also want to block:
location /auth/realms/master
to stop people who know it's Keycloak
*Kevin Thorpe*
VP Enterprise Platform
www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
*T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20
7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344
<%2B44%20%280%29808%20204%200344> *
*150 Buckingham Palace Road, London, SW1W 9TR, UK*
*SAVE PAPER - THINK BEFORE YOU PRINT!*
____________________________________________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
On 30 March 2016 at 12:52, Ben Bazian <bbazian(a)mbopartners.com> wrote:
Please let me know if you come up with a solution. We would actually
like
to limit access to this page to inside the firewall. No external access.
Thanks
*From:* keycloak-user-bounces(a)lists.jboss.org [mailto:
keycloak-user-bounces(a)lists.jboss.org] *On Behalf Of *Kevin Thorpe
*Sent:* Wednesday, March 30, 2016 7:43 AM
*To:* keycloak-user <keycloak-user(a)lists.jboss.org>
*Subject:* [keycloak-user] Can we change the default realm on Keycloak?
Hi,
just wondering if we could hide the default page
https://keycloak.mydomain.com/auth because tat prompts you to log in to
the master realm which we don't want visible.
I could block that page outright but sometimes we might need to log in to
the master realm for user admin.
*Kevin Thorpe*
VP Enterprise Platform
www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
*T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20
7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344
<%2B44%20%280%29808%20204%200344> *
*150 Buckingham Palace Road, London, SW1W 9TR, UK*
*SAVE PAPER - THINK BEFORE YOU PRINT!*
____________________________________________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
3206
days inactive
3206
days old
4 comments
3 participants
participants (3)
-
Ben Bazian -
Kevin Thorpe -
Marek Posolda