4:22 a.m.
Hi, my goal is to have services that authenticate with user and password and services that
authenticate with X509 certificate.
Moreover, if I am authenticated with the certificate, I no longer have to authenticate
with username and password.
I have seen that the SAML parameter authnContextClassRef is not supported by kexcloak,
which would allow to force the authentication method!
I then tried to create new realms and use one realm for authentication with
username/password and the other realm for X509 mutual authentication.
The question is how can I disable X509 mutual authentication for a realm on keycloak? the
configuration for mutual authentication is at the wildfly level and not at the realm level
nor at the client keycloak level.
is it possible to have the correct value of authnContextClassRef in the keycloak SAML
response?
Thank'sRoberto Palmarin
2:27 p.m.
I think that on the Wildfly/Undertow level you can configure if client
authentication is:
- mandatory
- optional (which means it is possible to be used, but things won't
break if client certificate is not used)
- none
See docs (and Wildfly docs) for more details how to configure it.
I think that if you use the "optional", it will be possible that client
certificates won't be used if you use them in realm1 (also you may need
to ensure that X509 certificate authenticator is not in the browser flow
of realm1).
Marek
On 24/01/2019 11:22, roberto palmarin wrote:
Hi, my goal is to have services that authenticate with user and
password and services that authenticate with X509 certificate.
Moreover, if I am authenticated with the certificate, I no longer have to authenticate
with username and password.
I have seen that the SAML parameter authnContextClassRef is not supported by kexcloak,
which would allow to force the authentication method!
I then tried to create new realms and use one realm for authentication with
username/password and the other realm for X509 mutual authentication.
The question is how can I disable X509 mutual authentication for a realm on keycloak? the
configuration for mutual authentication is at the wildfly level and not at the realm level
nor at the client keycloak level.
is it possible to have the correct value of authnContextClassRef in the keycloak SAML
response?
Thank'sRoberto Palmarin
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:46 a.m.
Hi,so it is not possible to disable X509 auth for a single Keaycloak realm.
for the second question:
it's possible to have the correct value of authnContextClassRef
in the keycloak SAML response?Can anyone help me?
for every type of authentication I recive always the same value di
authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
Thank'sRoberto
Il lunedì 28 gennaio 2019, 21:27:14 CET, Marek Posolda <mposolda(a)redhat.com> ha
scritto:
I think that on the Wildfly/Undertow level you can configure if client
authentication is:
- mandatory
- optional (which means it is possible to be used, but things won't
break if client certificate is not used)
- none
See docs (and Wildfly docs) for more details how to configure it.
I think that if you use the "optional", it will be possible that client
certificates won't be used if you use them in realm1 (also you may need
to ensure that X509 certificate authenticator is not in the browser flow
of realm1).
Marek
On 24/01/2019 11:22, roberto palmarin wrote:
Hi, my goal is to have services that authenticate with user and
password and services that authenticate with X509 certificate.
Moreover, if I am authenticated with the certificate, I no longer have to authenticate
with username and password.
I have seen that the SAML parameter authnContextClassRef is not supported by kexcloak,
which would allow to force the authentication method!
I then tried to create new realms and use one realm for authentication with
username/password and the other realm for X509 mutual authentication.
The question is how can I disable X509 mutual authentication for a realm on keycloak? the
configuration for mutual authentication is at the wildfly level and not at the realm level
nor at the client keycloak level.
is it possible to have the correct value of authnContextClassRef in the keycloak SAML
response?
Thank'sRoberto Palmarin
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2171
days inactive
2176
days old
2 comments
2 participants
participants (2)
-
Marek Posolda -
roberto palmarin