[keycloak-dev] Issue with latest Github master and SAML IDP providers?

Bill Burke bburke at redhat.com
Tue Mar 17 07:47:18 EDT 2015


I was going to look into these problems today.  Let me know if you've 
gotten to them.

On 3/17/2015 5:05 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Guy Davis" <guydavis.ca at gmail.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Sunday, March 15, 2015 2:17:19 AM
>> Subject: Re: [keycloak-dev] Issue with latest Github master and SAML IDP providers?
>>
>> Hi Stian,
>>
>> I tried the following using the very latest Github master.
>>
>>     1. Keycloak appliance (built in distribution folder so Wildfly 8.2).
>>     Had a problem:
>>        1. Doesn't list SAML or Open ID Connect in the Identity Providers
>>        picklist like previous versions.  Please see screenshot
>> attached.  Did the
>>        IdP choice get moved?
>>        2. Deploying Keycloak into a JBoss EAP 6.3 (from Teiid 8.10).  Had
>>     following errors:
>>        1. Failed deployment due to lack of org.bouncycastle module.  Not
>>        part of JBoss 6 Adapter?  bcprov and bcpix are in
>>        auth-server.war/WEB-INF/lib, but something is trying to load it
>> as a module.
>>        2. After adding a org.bouncycastle module manually using the bc 1.50
>>        jars, I got a resteasy-crypto module missing error.  If I add that I
>>        get
>>        conflicts between resteasy-2.3.8 in JBoss EAP and resteasy 3
>> that provides
>>        resteasy-crypto.
>>
>> So, I'm struggling to see the best way forward.  I need to remain
>> compatible with Teiid which is tied to JBoss EAP, not Wildfly.  As well,
>> our app is still geared toward JBoss EAP 6.1.0alpha (aka JBoss AS 7).
>> Keycloak indicates adapters for WF, EAP, and AS 7 are all supported.  I was
>> able to demo Identity Brokering just two weeks ago successfully on AS7
>> (6.1.0alpha), so this is a recent change on master.
>>
>> Please advise on the best path forward.  A key benefit of Keycloak over
>> other IDP/SSO options was that it could exist in the same JBoss container
>> as our other apps and frameworks.
>
> We support adapters for EAP and AS7, but not deploying the server itself. We will provide an option for other JBoss projects to build their own Keycloak to embed into their project though, which would be the recommended route for Teiid if they'd like to include it.
>
>>
>> Thanks,
>> Guy
>>
>>
>> On Thu, Mar 12, 2015 at 11:50 PM, Stian Thorgersen <stian at redhat.com> wrote:
>>
>>> I assume this happens after you've clicked on 'PicketLink IDP' on the
>>> login screen?
>>>
>>> Can you try the same with the appliance download? We don't support JBoss
>>> EAP 6.1.0alpha, so maybe that's the problem.
>>>
>>> ----- Original Message -----
>>>> From: "Guy Davis" <guydavis.ca at gmail.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Thursday, March 12, 2015 7:52:00 PM
>>>> Subject: Re: [keycloak-dev] Issue with latest Github master and SAML IDP
>>> providers?
>>>>
>>>> Hi Stian,
>>>>
>>>> Thanks for the response.  Yes, I'm still seeing this issue with the very
>>>> latest Github master (including today's commit #1038).  This was working
>>>> for me a couple of weeks ago, before more recent commits.  We demoed the
>>>> identity broker to our management using a PicketLink test idp.war (in
>>> same
>>>> container) and also using MS WAAD on Azure.  It's a key feature for us.
>>>>
>>>> Let me provide more details about my environment:
>>>>
>>>>     1. Building/running with Java 1.7
>>>>     2. Building master with 'mvn clean install -DskipTests=true
>>>>     -Pdistribution'
>>>>     3. Running within a JBoss EAP 6.1.0alpha container using the modules
>>>>     from distribution\as7-adapter-zip\target\unpacked in
>>>>     my ApplicationServer\modules\system\layers\base with the following
>>>>     differences:
>>>>        1. Had to add 'org/bouncycastle/main/bcprov-jdk16-1.46.jar'
>>> otherwise
>>>>        Keycloak complained on startup in server.log.
>>>>        2. Had to remove 'org/jboss/as' and 'org/jboss/aesh' as they were
>>>>        overwriting older JBoss EAP 6.1.0alpha versions and preventing
>>> startup.
>>>>     4. Deploying the auth-server.war by zipping the contents and renaming
>>>>     'auth.war', placing in my standalone/deployments folder.
>>>>     5. Updating the standalone.xml file with the required Keycloak config.
>>>>     Defining the realm and secure deployments in that XML directly.
>>>>     6. Starting with a missing H2 datasource to ensure old data/schema is
>>>>     not the problem.  On startup, I confirm admin's password and then
>>> re-build
>>>>     my DSIS realm.
>>>>
>>>> Any help you can provide would be most appreciated.  I'm using the
>>> Keycloak
>>>> master as features being added now such as Kerberos/Spnego and Identity
>>>> Brokering are critical use cases for our adoption.
>>>>
>>>> Thanks,
>>>> Guy
>>>>
>>>>
>>>> On Thu, Mar 12, 2015 at 3:49 AM, Stian Thorgersen <stian at redhat.com>
>>> wrote:
>>>>
>>>>> Are you still having issues or did you figure it out?
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Guy Davis" <guydavis.ca at gmail.com>
>>>>>> To: keycloak-dev at lists.jboss.org
>>>>>> Sent: Wednesday, 4 March, 2015 1:10:52 AM
>>>>>> Subject: [keycloak-dev] Issue with latest Github master and SAML IDP
>>>>> providers?
>>>>>>
>>>>>> Good day,
>>>>>>
>>>>>> I've been using a sample Picketlink IDP locally for testing the SAML
>>>>> v2.0 ID
>>>>>> brokering, however after updating to latest master and re-deploying
>>>>>> components, I'm getting the following error. Any tips?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks in advance,
>>>>>> Guy
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>
>>>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list