[keycloak-user] Not being prompted for x509 User Certs

Mon Jul 15 17:47:53 EDT 2019

I wanted to give an update which might help other users.

The first issue we had was related to the load balancer and to be specific
Amazon ELB.
I was under the impression it was set to be pass-thru, but instead it was
setup to do SSL termination.

After that was fixed, then I was getting prompted for certificates and I
was seeing logs, which I was happy with, even error logs, even better.
The next issue was related to when our PFX chain was imported into the
keystore. The issue was that PFX file had a different password than the
keystore in the standalone.xml configuration file.
After changing the password and re-importing it back it, that error logs
related to padding for the keystore were resolved. Basically error in
padding in our case = wrong password in the keystore.

The last issue was locating the correct RegEx for our instance. For us,
this worked:
User Identity Source: Subject Alternative Name
A regular expression to extract user identity :  RFC822Name=(.*?)(?:,|$)

A big shout out to Peter! Thanks for your assistance.

On Thu, Jun 27, 2019 at 12:37 PM JTK <jonesy at sydow.org> wrote:

> Hello,
>
>  I've read through all the documentation I can find online both with the
> official documents and everything else I could find and I believe I have
> everything setup, with additional logging turned on, but I'm not getting
> any type of prompt for a x509 certificate when logging in.
>
>  Here is the excerpt from the standalone.xml file
>
>     <management>
>         <security-realms>
>          ......
>             <security-realm name="ssl-realm">
>                 <server-identities>
>                     <ssl>
>                         <keystore path="keycloak.jks"
> relative-to="jboss.server.config.dir" keystore-password="mypass"/>
>                     </ssl>
>                 </server-identities>
>                 <authentication>
>                     <truststore path="truststore.jks"
> relative-to="jboss.server.config.dir" keystore-password="mypass"/>
>                 </authentication>
>             </security-realm>
>             ......
>
>         <subsystem xmlns="urn:jboss:domain:undertow:7.0"
> default-server="default-server" default-virtual-host="default-host"
> default-servlet-container="default" default-security-domain="other">
>             <buffer-cache name="default"/>
>             <server name="default-server">
>                 <http-listener name="default1" socket-binding="http"
> redirect-socket="https" enable-http2="true"/>
>                 <https-listener name="default" socket-binding="https"
> security-realm="ssl-realm" verify-client="REQUESTED"/>
>                 <host name="default-host" alias="localhost">
>                     <location name="/" handler="welcome-content"/>
>                     <access-log worker="default"
> directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/>
>                     <http-invoker security-realm="ApplicationRealm"/>
>                 </host>
>
>  I've setup the Authentication Flows for the Browser to have x509/Validate
> Username Form above the new Browser flow and it's required.
> Everything is setup per the KeyCloak documentation to include the binding
> settings.
>
> The only thing I'm not sure about is if the keycloak.jks and
> truststore.jks files are the issue.
> I have enabled extra logging as best I know, but I'm not seeing anything
> in the logs of any relevance when trying to authenticate into the Keycloak
> Realm.
>
> Can anyone assist? We are looking to most likely purchase this as a
> product through RedHat SSO if it works well to get the support we need, but
> I've been hung up on this for a few weeks and I know it shouldn't be this
> hard.
>
> Thanks,
> J
>
>