I am using SAML federation in Keycloak. After successful login from Keycloak page, it is redirected to an url with Header as null. Due to this, it returns a CORS error.
Is there an option to set this Origin header in Keycloak configuration for SAML client?
Thanks!
Related
I configured gerrit as per the documentation https://gerrit.googlesource.com/plugins/saml/
I am able to successfully login at OKTA, but gerrit is redirecting to login page. I am not sure which attribute is causing this redirect.
No logs for SAML plugin.
I have a Keycloak server hosted in Kubernetes. When I request to external identity provider (like Google/Facebook), the hostname was used in the redirect url automatically. How can I change the redirect URL for my identity provider?
The auto generated redirect_url from Keycloak:
http://keyclaok:8080/auth/realms/{MY_REALM}/borker/google/endpoint
What I'm expected:
http://www.example.com/my-custom-callback/endpoint, this url will redirect to the original keyclaok endpoint.
My identity provider settings in Keycloak
The auto_generated redirect_url (shown in the UI) should not be relevant for you.
Afaik keycloak just build up the url with the current hostname you are accessing keycloak.
So when you access your admin console via
http://keyclaok:8080/
Redirect URL for a google Identity Provider is shown as
http://keyclaok:8080/auth/realms/{MY_REALM}/broker/google/endpoint
If you access keycloak over your domain
http://www.example.com/auth
and try to authenticate over google, the valid redirect URL will be
http://www.example.com/auth/realms/{MY_REALM}/broker/google/endpoint
In my opinion you can't decide how the redirect url will look like (especially not the suffix realms/{MY_REALM}/broker/google/endpoint), because it's relative to the keycloak base URL and keycloak needs it internally to map a answer to the correct realm and IDP
But I think you shouldn't have a problem with such a url, as long as keycloak is accessible over your domain
I have one SP and one IDP using Keycloak.
I'm using SAML protocol and I can successfully login and logout when the request is initiated by the SP.
But when connected as an admin in Keycloak I logout an user from his session no request are sent to the SP.
The session is indeed terminated on the IDP side but not on the SP side.
Because of that the user on the SP can still use the application.
I can't see any option in client configuration for that.
Has anyone made IDP initiated log out in SAML works with keycloak ?
Could you give me some directions ?
Thank you for your time.
After some other research this is not a feature of Keycloak.
https://www.keycloak.org/docs/2.5/server_admin/topics/sessions/administering.html
Quoting the docs
Only certain clients are notified of this logout event, specifically clients that are using the Keycloak OIDC client adapter. Other client types (i.e. SAML) will not receive a backchannel logout request.
I had the same issues using keycloak saml broker. It turned out that enabling back-channel logout (disabling front-channel logout) in keycloak client configuration solved my problem.
I am using 4.8.0.Final
I have a external openidconnect identity provider registered with Keycloak. When the client app tries to access the protected resource it gets redirected to KeyCloak login page. On the login page I have the external openidconnect provider buttons enabled. Once the user clicks on the button he is taken to the external identity provider (which is identityserver3 instance). The external provider does authenticate the user and send back a code.
Now the redirecturl for the registered client in the external identity provider is that of keycloak's. So after authentication is successful at the external IDP it send back the code(because it is Auth code flow) to keycloak at a redirect url:
http://localhost:5555/auth/realms/QA/broker/keycloak-client/endpoint?code=7bcf5157105199d50874e64eabf03858&state=wQhNIEKW0Ws6CotZg2EsvOorjDVQlWVvobcM2skPSXo.keycloak-client&session_state=rhgu-BXT8FniG9Z-UARKpp_f-V1nLN-VxFmSE3PSxDg.99b2d903367208e4261fefa475afb1eb
In the URL if you see it ends with endpoint. I don't think that's correct but I cannot change it in KeyCloak (it's disabled) and because of that in the external IDP client configuration.
KeyCloak does not understand above url and errors out with a message "unexpected error when authenticating with Identity Provider"
Isn't KeyCloak supposed to understand the code flow and make another request for token after receiving the code. Then the external IDP will respond with token and Keycloak will send back that token to client(will also store it for future use).
Can someone please share some knowledge on how Keycloak works with external openidconnect ID provider with code flow.
Usually the redirect URI for external identity providers take the form of {keycloak-host}/auth/realms/{realm}/broker/{provider}/endpoint. You have to specify this as the redirect URI when you register your client in the external identity provider. Once the user is authenticated through the external IdP, authorization code will be sent to this url, which in turn will redirect it to the redirect url of your client application (specified when registering the client in Keycloak).
Unexpected error when authenticating with Identity Provider is the general error message sent by Keycloak for several errors that occur during the OAuth flow. You won't be able to determine the actual cause without going through the stack trace or the logs in the prompt.
You are getting this error because keyclaok is unable to get token from identityserver3 by exchanging authorization code. Where did you hosted identityserver3? Does it have a real ca certificate or you are using self sign certificate? Have you configured client_id , secret, token endpoint properly in keycloak external IDP configuration? You can test manually my posting client_id, secret, code (that you received) in token endpoint of identityserver3.
In the server side auth flow, Facebook does not execute any redirects after the app requests the access token.
So why does the access token request require a redirect_uri parameter?
See section 4.1.1 of the OAuth 2.0 Spec.
redirect_uri is a required paramter when obtaining an access token.
From the spec:
The authorization server MUST:
Validate the client credentials (if present) and ensure they match
the authorization code.
Verify that the authorization code and redirection URI are all
valid and match its stored association.