I am requesting your assistance with configuring SAML in Keycloak.
I have a SAML client and I would like to export the keystore, but in the "Keys" section, the export button is disabled.
i use keycloak/bitnami v 19
config in keycoak 19
PS: it works with keycloak V 15
config in keycoak 15
How can I enable it? Thank you for your help.
I tried several config in settings tabd
Related
How Mastodon configure login using SSO, such as openid with keycloak? I search in Github and configure Mastodon follow this guide, but it doesn't work.
This is my environment variable:
OIDC_ENABLED=true
OIDC_DISPLAY_NAME=SSO
OIDC_AUTH_ENDPOINT=https://SSO_URL/realms/mastodon/.well-known/openid-configuration
OIDC_ISSUER=https://SSO_URL/realms/mastodon
OIDC_DISCOVERY=true
OIDC_SCOPE="openid,profile"
OIDC_UID_FIELD=uid
OIDC_CLIENT_ID=masto
OIDC_REDIRECT_URI=https://MASTODON_URL/auth/auth/openid_connect/callback
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
OIDC_CLIENT_SECRET=***
I checked the error log via this command but it is empty.
docker-compose logs | grep ERROR
Even the text of the SSO button has not changed.
There is the screenshot of sso button
my config:
OIDC_ENABLED=true
OIDC_DISPLAY_NAME=My IDM
OIDC_DISCOVERY=true
OIDC_ISSUER=https://<keycloak_url>/auth/realms/<real>
OIDC_AUTH_ENDPOINT=https://<keycloak_url>/auth/realms/<real>/.well-known/openid-configuration
OIDC_SCOPE=openid,profile,email
OIDC_UID_FIELD=preferred_username
OIDC_CLIENT_ID=<client id>
OIDC_CLIENT_SECRET=<client secret>
OIDC_REDIRECT_URI=https://<mastodon URL>/auth/auth/openid_connect/callback
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
Tested with Mastondo 3.5.3 and Keycloak 7.0.1
Maybe, only change yours OIDC_SCOPE and OIDC_UID_FIELD environments values.
I cannot comment but Erik suggestion was really good, here is our minimal configuration using Keycloak in discovery mode:
# Enable OIDC
OIDC_ENABLED=true
# Name your button (ignored in current 3.5.3 but fix is done in upcoming releases)
OIDC_DISPLAY_NAME=Login with MySSO
# Where to find your Keycloak OIDC server
OIDC_ISSUER=https://<keycloak_domain>/realms/<my_realm>
# Use discovery to determing all OIDC endpoints
OIDC_DISCOVERY=true
# Scope you want to obtain from OIDC server
OIDC_SCOPE=openid,profile,email
# Field to be used for populating user's #alias
OIDC_UID_FIELD=preferred_username
# Client ID of the client you configured for Mastodon in Keycloak
OIDC_CLIENT_ID=<keycloak_client_id>
# Client secret of the client you configured for Mastodon in Keycloak (in production, use secrets Docker secrets in our case)
OIDC_CLIENT_SECRET=<keycloak_client_secret>
# Where OIDC server should come back after authentication
OIDC_REDIRECT_URI=https://<mastodon_domain>/auth/auth/openid_connect/callback
# Assume emails are verified by the OIDC server
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
So only difference is that we didn't have to add the OIDC_AUTH_ENDPOINT thanks to OIDC discovery.
I am getting success and responder status information too from ADFS, I checked for both of cases by turning on and off validate signature switch, setting PROXY_ADDRESS_FORWARDING=true and also to porto HTTP and https forwarding.
No one solution from above given worked well for me.
• You can try the settings in keycloak to be configured as below for it to act as a service provider to ADFS IdP so that you will be able to get the SAML requests to process correctly: -
‘ IdP URL: ${IDP_URL}/adfs/ls/
NameID Policy Format: persistent
WantAuthnRequestsSigned: true
WantAssertionsSigned: true
SignatureAlgorithm: RSA_SHA256
SAMLSignatureKeyName: CERT_SUBJECT ‘
Thus, when you configure the above settings in keycloak, also ensure that you update NameID policy in keycloak as SP and similarly custom settings on the IdP side as well to ensure NameID is sent back as ‘persistent’ in format.
Had the same error message with a misconfigured identity provider on Keycloak 15.
Try this:
Go to https://[ADFS server hostname]/federationmetadata/2007-06/federationmetadata.xml to download the ADFS server metadata
Find the X509Certificate fields marked 'signing' in the metadata
Go to your Keycloak Identity Provider definition -> settings -> 'Validating X509 Certificates' and insert the values from the metadata. Alternatively you can import the metadata file using Keycloak's import button when you create a new identity provider. Note: if the metadata contains multiple certificate values you can comma delimit them when you enter them in your keycloak identity provider definition.
in WSO2IS 5.7 I used to utilize a custom JWT token issuer by deploying its jar file into wso2is_home/repository/components/lib, then changing the OAuth section in identity.xml file at the IdentityOAuthTokenGenerator element with my custom token issuer's class:
<OAuth>
...
<!--<IdentityOAuthTokenGenerator>org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer</IdentityOAuthTokenGenerator>-->
<IdentityOAuthTokenGenerator>it.smartcity.wso2.jwt_generator.CustomTokenIssuer</IdentityOAuthTokenGenerator>
...
</OAuth>
restarting the server. Then I was able to see it in the Service Provider configuration:
With WSO2IS 5.10, besides putting the jar in the components/lib folder, I edited only the deployment.toml file, adding the following:
[oauth.extensions]
token_generator = "it.smartcity.wso2.jwt_generator.CustomTokenIssuer"
as described here https://is.docs.wso2.com/en/latest/learn/extension-points-for-oauth/#oauth-token-generator but it just doesn't work.
I can't see my token issuer in the Service Provider screen.
Is there anything else I should do?
You can add custom token issuers in the following way in 5.10.0 instead of token_generator.
[[oauth.extensions.token_types]]
name = "CustomTokenIssuer"
issuer = "it.smartcity.wso2.jwt_generator.CustomTokenIssuer"
persist_access_token_alias = true
Ref: https://github.com/wso2/docs-is/issues/1140
My motive is to generate an access token for the client (through simple_oauth module of Drupal) with the help of which the client can access the content of Drupal 8 site via REST API. But the Generate token tab is not available on the screen, also I have tried generating the token through Postman by using OAuth2.0 authentication, but failed to understand what to write in the Authorization URL and token URL field.
Any suggestion will be appreciated. Thanks in advance.
Quick demo (Password Grant)
Install the module using Composer: composer config repositories.drupal composer https://packages.drupal.org/8 && composer require drupal/simple_oauth:^3. You can use any other installation method, as long as you install the OAuth2 Server composer package.
Generate a pair of keys to encrypt the tokens. And store them outside of your document root for security reasons.
openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout > public.key
Save the path to your keys in: /admin/config/people/simple_oauth.
Go to REST UI and enable the oauth2 authentication in your resource.
Create a Client Application by going to: /admin/config/services/consumer/add.
Create a token with your credentials by making a POST request to /oauth/token. See the documentation about what fields your request should contain.
(Not shown) Permissions are set to only allow to view nodes via REST with the authenticated user.
Request a node via REST without authentication and watch it fail.
Request a node via REST with the header Authorization: Bearer {YOUR_TOKEN} and watch it succeed.**
Does anybody know or have experience on how to do x509 certificate authentication using openAM restful api. Could not find any useful information from official documentation and Google. The last post from a closed openAM issue track indicate the newest API might be able to do certificate authentication. However the detail information is still missing from the link. Any help will be greatly appreciated. Thanks.
First be certain to understand what SSL client auth means and how your infrastructure is setup ... where is the SSL endpoint...
Then read
http://docs.forgerock.org/en/openam/11.0.0/dev-guide/index.html#rest-api-auth-json
it tells you about which parameters you have to provide.
Apart from others OpenAM allows for 'service-based' (authentication chain) and 'module-based' auth.
So either you created an auth chain which has cert auth module configured or you use the module directly.
service-based auth: authIndexType -> service, authIndexValue -> name_of_auth_chain
module-based auth: authIndexType -> module, authIndexValue -> name_of_the_auth_module_instance
Don't forget to look at OpenAM debug logs (debug level set to 'message').