We have our own CRM portals and we want to offer OpenID based User authentication and authorization.
To achieve this we have decided to use Keycloak.
The flow we formalized is below and we are stuck due to may be not knowing much of the configurations inside Keycloak or may be its not possible.
User visits our existing CRM login page where he/she provides the username and password.
On click of Login the keycloak custom Identity provider should authenticate the user
Keycloak should receive the authentication success response and generate the JWT token
User is redirected back to CRM dashboard with the help of redirect_url configured in custom IDP.
What we have done till now,
Created a custom IDP inside Keycloak.
Configured all endpoints in this custom IDP
No custom authentication flow yet, all defaults i.e. First login flow is set to 'first broker login'
Challenges we are facing currently,
User on our CRM login page (Not the keycloak login form) and click on login button
The Keycloak login form is shown to user. We dont want any keycloak login pages. but instead the custom IDP endpoints should be executed and a JWT is returned back to redirected CRM application.
Is this possible to achieve the flow I mentioned above?
You need to adapt the browser Authentication Flow
Authentication -> Flows -> Browser
There you find the Identity Provider Redirector. Click Configure and specify a Default Identity Provider (you need the alias of your IDP there)
Normally all available IdentityProviders are listed beside the login form. But if a DefaultIdentityProvider is configured, KC immediately redirects to the external IDP.
Related
I am using Keycloak to authenticate a user for a Vaadin application. The Vaadin application creates its own user session after successful authentication with Keycloak. I need the user to be able to change the password and email address.
Now I do not quite understand how to implement it correctly. There is a user Keycloak console that has this kind of functionality. But, for example, when a user changes their email address, the user is not prompted to confirm that new email address until a new login. Should I disable the Keycloak user console and e.g. use the Keycloak REST API directly from the Vaadin app to perform email/password changes? Or should I keep using Keycloak's custom console and configure it there?
What is the proper way to deal with such things with Keycloak? In case of Keycloak API I'd really appreciate the examples of API calls which should I perform in order to change the user password and email.
The realm in keycloak is configured with multiple IDPs like Azure, Okta, Google etc.
But username and password is something that is not needed.
In the browser Authentication flow if I disable Forms instead of "Alternative" the login page appears with "Invalid Username or Password"
Please note I want multiple IDPs buttons to appear in the login page without the Username and Password Login Form.
Not much is documented about this in keycloak documentation.
You can use a custom authentication provider to achieve your goal.
Instruct Keycloak to assign a specific user attribute to all users arriving from the IDP.
Build an authentication provider which checks for that user attribute and denies access.
Add the authentication provider to the Browser login flow.
Create new theme and adjust templates files to hide login fields and show a user-friendly error if the user fails step 2. Use theme only on relevant realm.
Further details here: https://groups.google.com/g/keycloak-user/c/N9cuqXIBrSA/m/sycLxTZbCAAJ
I have a setup where Keycloak is acting as an identity broker. There are two Oauth2.0 Identity Providers configured in Keycloak.
A user goes to my app, is forwarded to Keycloak and is presented with two buttons. These buttons can be used to either authenticate with IdP 1 or IdP 2. Once the user is authenticated, keycloak will receive the JWT token and will issue its own JWT token to the client, enriched with claims from the JWT token received from the selected IdP. So far so good.
Now I have the usecase where my app will be embedded in another CRM platform. Let's say this CRM platform uses IdP 1. So a user is able to access the CRM and will authenticate through IdP 1. Then, the user can hit a button and get directed to my app. Of course we don't want the user to authenticate again with the same IdP but now first by going through Keycloak.
My question is, is there a way to let Keycloak use the IdP 1 token the user received when accessing the CRM platform in a way that Keycloak will enrich it and issue a JWT token just as it is done when the user would authenticate through Keycloak?
Consider implementing custom Authenticator that will sign on in Keycloak users that come from CRM. Our goal is to initiate SSO session in Keycloak.
Assume that when user hits button in CRM to got to your app, Keycloak will have access to some data provided by IDP1 that could be useful for identifying which user perform such action. So here we go:
User hit button "go to app"
User comes to App
App redirects user to Keycloak for passing the authentication
Your own custom implementation of Keycloak Authenticator will utilize information from IDP1 (you could utilize mentioned JWT token somehow)
Now SSO session in established and Keycloak redirects user back to your application
???
Profit
Also note that your will have to solve potential problem of session idle synchronization between Keycloak and IDP 1.
Keycloak development guide
How to disable username/password login for external IDP ?
I know that I can use custom theme to hide http form, but I want to do it properly.
As far as I know I have to create at least custom First Broker Login and Browser authentication flow, right?
After first login from IDP I have to create user in Keycloak, but do not leverage password option.
Also Browser flow must be updated to not show username/password form, right?
Can anyone provide proper example ?
Thanks
You can use a custom authentication provider to achieve your goal.
Instruct Keycloak to assign a specific user attribute to all users arriving from the IDP.
Build an authentication provider which checks for that user attribute and denies access.
Add the authentication provider to the Browser login flow.
Optionally adjust templates files to hide login fields and show a user-friendly error if the user fails step 2.
Further details here: https://groups.google.com/g/keycloak-user/c/N9cuqXIBrSA/m/sycLxTZbCAAJ
May not be 100% suitable to this case, but found next one working fine for our case without need to compile and deploy "custom authentication provider". In our app we suppress keycloak login form and offer own custom user / password form, and for IdP integration we are using kc_hint to redirect directly to IdP login page. Once user login via IdP we want to disable user name / password login using password grant. There is a trick allows to achieve this in keycloak v15. You can assign "Update User Locale" to "Required User Actions" of the user, from that moments, direct password grant wont let user to login returning "requires action" validation error, which is not supported in our UI, while IdP login still works and skip this "required action" nor reset it after login. Of course you may need some scheduled curl script allows to set this for users automatically via users REST API : read users attributes or IdP link integration, if found specific Idp related user attribute or IdP integration link, and "requires action" array is empty, set it to "Update Locale".
Of course this all works as long as you hide keycloak login form and use your own. for all using keycloak login form, login using name / password will work and can bypass "Update locale" requirement (not sure why, perhaps because realm does not have locales configured)
Try this costum Authentication flow
By Automatically linking brokered account, the user won't have to set a password. as for the username it will be automatically imported from the identity provider.
I am implementing a SSO using SimpleSAMLPhp Service Provider.
I provided my metadata to remote Shibboleth Identity Provider and was provided a test account.
When a user visits a specific page on my SP, they get redirected to the IdP, login, and are redirected back to my web site with a bunch of IdP provided attributes. This part works.
This part I am struggling with.
If the user authenticates with the same IdP through a different Service Provider and then visits my page, how do I know they are already authenticated? Currently I am being asked to login again.
Is there a configuration value somewhere that lets me do this? Or am I using the wrong method? This is what I am doing.
$as = new SimpleSAML_Auth_Simple({REMOTE_AUTHSOURCE});
$as->requireAuth(); // this redirects to remote IdP login
$attributes = $as->getAttributes();
Thanks.
There are two separate authentication sessions to consider. One session is in you app and the other is at the IdP. The requireAuth method can tell if the user already has an authenticated session in your application, and will return immediately in that case.
There is no way for you to tell if a browser has a session at the IdP. You just call requireAuth whichs send the user there and if the IdP decides the user's session is still valid it will respond without prompting for login.
Are you saying that the user has a valid session at the IdP and they are being re-prompted to authenticate when you send the user there? That could be due to IdP policy, or if your app was sending something like 'forceAuth' in its AuthnRequest.