[keycloak-user] Installing keycloak behind IIS to secure a WildFly app
Steven Ireland
Steven.Ireland at SLSDIST.COM
Fri Apr 7 15:18:01 EDT 2017
I had success installing keycloak locally and securing a local WildFly application running locally. I log in, WildFly hands me off to keycloak and Keycloak passes me back and the app kicks off.
However when I run outside of the local network I can have WildFly pass me to Keycloak but after I provide valid credentials I do not get passed back. I'm running behind IIS and use URL rerouting (https externally to http internally). I've installed SSL for IIS but have not installed keycloak to run using SSL.
Is it required that keycloak run under its own SSL configuration (instead of using the SSL I installed for IIS?). If so can I use the same certificate I installed for IIS? And does my WildFly app need to run under its own SSL setup in order for Keycloak to be able to handshake with it?
This is new territory for me so I apologize if my questions don't make sense. But if anyone has this scenario I would appreciate knowing which path I should be going down.
Thanks.
Steve
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of keycloak-user-request at lists.jboss.org
Sent: Friday, April 7, 2017 6:38 AM
To: keycloak-user at lists.jboss.org
Subject: keycloak-user Digest, Vol 40, Issue 10
Send keycloak-user mailing list submissions to
keycloak-user at lists.jboss.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.jboss.org/mailman/listinfo/keycloak-user
or, via email, send a message with subject or body 'help' to
keycloak-user-request at lists.jboss.org
You can reach the person managing the list at
keycloak-user-owner at lists.jboss.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of keycloak-user digest..."
Today's Topics:
1. How to mock LDAP user login with expired password (Adrian Madaras)
2. 401 for spring security adapter + spring boot + long session
(Aritz Maeztu)
3. Using the nodejs-connect adapter without a logout route
(Jonathan Little)
4. Creating group mappers for ldap (Sumit Das)
5. Re: [EXTERNAL] Re: Overriding AssertionConsumerServiceURL in
(Jacobs, Michael)
6. Parametric Client Configuration (matteo restelli)
7. (no subject) (JiJesH V U)
----------------------------------------------------------------------
Message: 1
Date: Thu, 6 Apr 2017 14:17:51 +0000 (UTC)
From: Adrian Madaras <madaras_adrian at yahoo.com>
Subject: [keycloak-user] How to mock LDAP user login with expired
password
To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Message-ID: <835449372.1172754.1491488271883 at mail.yahoo.com>
Content-Type: text/plain; charset=UTF-8
Hi everyone,
I know that showing a message if the user's password is expired is a security breach but I need this for my development purposes. I've manage to implement this in the LDAPStorageProvider.java using Thread.local and then sending the appropriate message to the front end in the AbstractUsernameFormAuthenticator.java class.
Everything is fine and dandy but I want to write an integration test to check if everything works as it should. The problem is I don't know how to mock a LDAP user that has an expired password. I've search google but no answer.
Can someone help me?
Thanks,
Adrian
------------------------------
Message: 2
Date: Thu, 6 Apr 2017 18:22:43 +0200
From: Aritz Maeztu <amaeztu at tesicnor.com>
Subject: [keycloak-user] 401 for spring security adapter + spring boot
+ long session
To: keycloak-user <keycloak-user at lists.jboss.org>
Message-ID: <91ce51df-90bf-f9f7-e0ce-30e6013baf8b at tesicnor.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
I have an application where I want its users to be able to keep logged in during long time (about one year before the session ends). I'm using Spring Boot + Spring security and the keycloak Spring security adapter
(2.5.4 final). The keycloak server is 2.2.1. What I've done:
Set up the realm to permit long lived sessions:
Session Idle: 365 days
Session max: 365 days
Offline session idle: 30 days
Access token lifespan: 1 Minute
Lifespan for implicit flow: 365 days
Then, in my application (single server and single keycloak client, confidential access type) I set up this environment variable:
server.session-timeout: 525600
Then in my front-end I've got AngularJs integrated, works as a Single page application and performs some routing without refreshing the whole page.
My problem:
When I leave the application idle (for around 30 minutes), after performing some request to any rest endpoint, I get 401 code. The application works again when I press F5 and refresh the page. The problem is only related when I access the REST endpoints while I don't request the whole page again.
Am I missing something?
--
Aritz Maeztu Ota?o
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretar?a: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.
------------------------------
Message: 3
Date: Thu, 6 Apr 2017 11:49:34 -0700
From: Jonathan Little <rationull at gmail.com>
Subject: [keycloak-user] Using the nodejs-connect adapter without a
logout route
To: keycloak-user at lists.jboss.org
Message-ID:
<CALLLnfX_3w3NLNNxpsvpXmD3fupday9+-KvyOKnroyhewgqsdw at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
The nodejs-connect adapter's middleware() function includes automatic setup
of a logout route which redirects to the keycloak server to logout the
authenticated user. The relative path to the logout route is customizable
via the options object, but there is no specified way to opt out of the
logout route. Looking at logout.js in the source I can see that passing
something which will never resolve as equal to request.url would result in
the logout route always being skipped, which is workable but is a hack.
I'm looking at using this for a backend service which will not do user
login/logout management at all but will only be doing checks for
authorization details. I don't see a need for logout functionality on such
a service. I can see three possibilities:
1) I'm looking at this the wrong way, and I actually do want logout
functionality for some reason.
2) I'm looking at it the right way, and the aforementioned hack is the
"normal" way to do it, but undocumented.
3) There's a feature request hiding here for a config option on
middleware() to opt out of the logout middleware.
(3) seems most plausible to me at this point but I don't want to jump into
feature request mode with an incomplete understanding of the situation. Any
opinions?
------------------------------
Message: 4
Date: Fri, 7 Apr 2017 00:38:12 +0530
From: Sumit Das <sumitdas66 at gmail.com>
Subject: [keycloak-user] Creating group mappers for ldap
To: keycloak-user at lists.jboss.org
Message-ID:
<CAOYE8NEM5NdMMpFRSyjGRUpDy5Pm+4wSSX7DkrnnLpFfFfeqDw at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Hi
We are using Keycloak 2.5.4. We are trying to create custom group mappers
for ldap by creating a Myfactory.class which extends
AbstractLdapStorageMapperFactory and tge implementation of the mapper as
MyMapperLdapProvider which extends AbstractLdapStorageMapper.
We have followed the documentation provided on the Keycloak for deployment
of jar and implementation of the mapper.
Once done in providers or deploy folder we do not see our custom mapper in
the drop down of the mapper section of user federation provider.
We are not sure whether we are following the right approach or right design
to create the mapper.
Please help us to indentify where we are doing wrong. Any suggestions or
direction is highly appreciated.
Regards
Sumit
------------------------------
Message: 5
Date: Fri, 7 Apr 2017 00:34:05 +0000
From: "Jacobs, Michael" <Michael.Jacobs at nuance.com>
Subject: Re: [keycloak-user] [EXTERNAL] Re: Overriding
AssertionConsumerServiceURL in
To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Message-ID:
<BN6PR05MB2964114EDDF4239B0C29A99BF80C0 at BN6PR05MB2964.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
I solved this by making my own identity provider SPI that extends from SAMLIdentityProvider, but adds this feature, taking the override from the standalone.xml
I will try to do something similar with the Email Template SPI.
From: Jacobs, Michael [mailto:michael_jacobs at nuance.com]
Sent: Wednesday, April 05, 2017 8:32 AM
To: Bill Burke <bburke at redhat.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [EXTERNAL] Re: [keycloak-user] Overriding AssertionConsumerServiceURL in
So what you are saying is that Keycloak, acting as an SP, will send this URL to the IDp, but the IDp can choose not to use it, and just send responses to our F5?
Also, re: the second part of my question, can anything be done about the password reset URL, to have those target our F5?
Thanks for you help with this,
MJ
On Apr 5, 2017 8:01 AM, Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>> wrote:
The SP can send ACS URL, this URL will only be used if it is validated
against the Redirect URI patterns that are registered in the
configuration of the client. Does that answer your question?
On 4/4/17 6:07 PM, Jacobs, Michael wrote:
> For our application we created a SAML Identity Provider to proxy authentication to an outside source. However we need their response to be sent back to a load-balanced URL on our F5. The value that I believe controls this is "Redirect URI" in our SAML Provider config, looks like that goes to populate the AssertionConsumerServiceURL in the SAML request. Redirect URI is not editable in the UI. Is there a way we can control what gets populated there, so our partner will be directed to send to the load-balanced URL.
>
> We'd also like to control password reset emails links to contain that load-balanced URL, but it does not look like the templating system allows us to manipulate that that level.
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=B5Rzm519tM-Gtr531DC5-SdoVSFKKOvKuG1mnjWUEP0&s=iUK7Hus6wvb5hs9zXzaFQfwbmCv79gDHvrFx3rlVlWE&e=
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=B5Rzm519tM-Gtr531DC5-SdoVSFKKOvKuG1mnjWUEP0&s=iUK7Hus6wvb5hs9zXzaFQfwbmCv79gDHvrFx3rlVlWE&e=
------------------------------
Message: 6
Date: Fri, 7 Apr 2017 12:24:01 +0200
From: matteo restelli <teoreste at gmail.com>
Subject: [keycloak-user] Parametric Client Configuration
To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Message-ID:
<CABZhS3y4y55-fKbLktUBZUgKmOQ2=K6WdwzESgoBL_z9VQOg3g at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Hi all,
is it possible to make client urls parametric?
I mean, is it possible to set environmental variables and reference them
inside the client configuration panel?
Thank you in advance,
Matteo
------------------------------
Message: 7
Date: Fri, 7 Apr 2017 16:08:11 +0530
From: JiJesH V U <jijeshvu07 at gmail.com>
Subject: [keycloak-user] (no subject)
To: keycloak-user at lists.jboss.org
Message-ID:
<CAAbhGsASrH=xa5dUWh4X8XEC_5+ampbN-+nL=9iN-q0ECAmH6g at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
I have these 2 keycloak configurations for per app role mapping.I have
configured the role per app and assigned to the user. When I remove a
particular role from app1 it can login. This does not happen.What I'm doing
wrong here.
regards,
jijesh v u
mob: +91 9037329817
------------------------------
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
End of keycloak-user Digest, Vol 40, Issue 10
*********************************************
More information about the keycloak-user
mailing list