During a SAML login via multipass, a list of groups is provided in the payload in <saml:Attribute Name="https://schemas.xmlsoap.org/claims/Group" ...>
Are these groups matched case-sensitively?
i.e.: Will a group that was provided as "AbcDef" earlier, but is provided as "abcdef" later be treated as the same group or not?
You can now modify your SAML configuration in a self-serve way via Foundry Control Panel.
For user attributes: please reach out through your internal support channel if you'd like to make user attributes case-sensitive - this option isn't available in the UI.
For user groups: case sensitivity isn't currently supported for user groups. You need to enable the “Import user groups from the identity provider” option to populate a user's groups via SAML.
This is a multipass configuration service level configuration. You will need access to the gemini or the infrastructure that configures the stack itself to change it. If you don't please reach out through your internal support channels.
What you want is to add caseInsensitive to the type in your atributes. i.e.:
users:
attributes:
'multipass:email:primary':
- Email
'multipass:family-name':
- 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'
'multipass:given-name':
- 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'
id:
fields:
- NameID
type: caseInsensitive
username:
- NameID
Related
We have ActiveMQ Artemis 2.26.0 which is configured for Active Directory domain authentication.
When a user is authenticated the role is assigned using group membership (userRoleName="memberOf") or username (userRoleName="sAMAccountName"). Is it possible to grant authorizations using both username and groups to which user belongs to?
Currently I have a login.config which works differently for users in different organizational units of domain:
LDAPLogin {
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule sufficient
debug=true
initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
ignorePartialResultException=true
connectionURL="ldaps://domain-controller1:636 ldaps://domain-controller2:636"
connectionUsername="bind_username"
connectionPassword="bind_password"
connectionProtocol="s"
connectionTimeout="5000"
readTimeout="5000"
authentication=simple
userBase="OU=OU_for_application_users,DC=company,DC=tld"
userSearchMatching="(sAMAccountName={0})"
userSearchSubtree=true
userRoleName="sAMAccountName"
;
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule sufficient
debug=true
initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
ignorePartialResultException=true
connectionURL="ldaps://domain-controller1:636 ldaps://domain-controller2:636"
connectionUsername="bind_username"
connectionPassword="bind_password"
connectionProtocol="s"
connectionTimeout="5000"
readTimeout="5000"
authentication=simple
userBase="OU=OU_for_team_users,DC=company,DC=tld"
userSearchMatching="(sAMAccountName={0})"
userSearchSubtree=true
userRoleName="memberOf"
roleName="CN"
;
};
User from OU_for_application_users gets one role which is equal to username, and user from OU_for_team_users gets roles from list of groups to which the user belongs to. Technically it is different types of users (special application accounts and personal user accounts).
Is it possible to create a login.config which assigns to user a list of roles which combine username and list of user groups? Or is there any other way to add authorizations which use both username and group of user?
Also I think if it is a good idea. In other brokers, for example IBM MQ, we can configure separate authorizations for users and for groups. In ActiveMQ Artemis we have only one "role" regardless of what it represents - username or group name.
ActiveMQ Artemis supports roles based access control. There is no option to configure authorization based on username.
The configuration of the LDAPLoginModule is limited to userRoleName when assigning roles. However, JAAS login modules are pluggable so you are free to write your own or contribute changes to LDAPLoginModule to support the behavior you want.
I want to add one URL configuration which would be dynamic. For eg.
URL: /api/v1/{did}
and my jwt token would contain user-id, roles where role = did (same as in URL).
There are various URL like this with different did but same endpoint and krakend should validate that one user has access to that specific URL(did), so I have roles created in keycloak as did (roles = did).
I want to specify roles in krakend json file like roles : [{did}].
Is there any way to achieve this?
That should be possible using a CEL rule (Common Expression Language). With CEL you can set an expression that makes sure that the passed {did} parameter equals to the content of the JWT attribute containing the role.
The following page has several examples that might help you: https://www.krakend.io/docs/endpoints/common-expression-language-cel/
For the testing I would suggest using the devopsfaith/krakend:watch command that hots reload the configuration on every change.
In OpenAPI, how to you restrict a given action (e.g. GET /users) to users with a specific role (e.g. admin)?
Example, where the list of users should only be accessible to admin users:
paths:
/users:
get:
# TODO: restrict access to users with 'admin' role
summary: Get list of all users
security:
- BearerAuth: []
operationId: getUsers
responses:
200:
description: successful operation
content:
application/json:
schema:
type: object
properties:
users:
type: array
items:
$ref: '#/components/schemas/User'
Bearer Authorization does not support access scopes as defined with OpenAPI. You have a few options:
Use A Description
Use a description to explain to readers of your definition that these endpoints require an auth token belonging to an admin user. This is the simplest solution, though this won't allow tooling to automatically enforce this criteria from your OpenAPI spec, so you'll need to manually control this in your own code.
get:
description: Get list of all users. Limited to admin users.
Use An Extension
Write an extension to formally describe the criteria necessary for your auth tokens. OpenAPI allows the use of extra properties for defining properties and behaviors that are specific to your implementation that don't fit the generic case. You can write tooling and scripts to process this property to enforce behavior as you see fit.
get:
x-authRoles: ['admin']
Use OAuth 2.0
Use OAuth 2.0 or another security scheme that supports access scopes by design. You may find this adds additional security benefits, as all tooling around OAuth already expects access scopes, so you may have an easier time with this particular problem, as you won't have to roll your own implementation.
get:
security:
- oAuthSample:
- admin
I wanted to search keycloak user using employeeNumber. I tried checking keycloak documentation but didn't find any API which will search based on employeeNumber/custom attributes. I m using below API to search the users with admin access.
http://localhost:8080/auth/admin/realms/Demo-Realm/users/?firstName=akshay
also tried with
http://localhost:8080/auth/admin/realms/Demo-Realm/users/?search=akshay
Although not mentioned on the release notes it is possible after Keycloak version 15.1.0 (as pointed out by #Darko) to search users by custom attributes, introduced with this commit. As one can now see on the GET /{realm}/users endpoint of the Keycloak Admin Rest API:
So in your case you would call that endpoint with the query parameter q=employeeNumber, for instances with curl:
curl 'https://${KEYCLOAL_HOST}/auth/admin/realms/${REALM_NAME}/users?q=employeeNumber:444555'
Bear in mind that the /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth, namely:
curl 'https://${KEYCLOAL_HOST}/admin/realms/${REALM_NAME}/users?q=employeeNumber:444555'
Keycloak version before 15.1.0
For those with Keycloak version before 15.1.0, out-of-the-box you can use the Keycloak Admin API endpoint:
GET /{realm}/users
one can read that :
Get users Returns a list of users, filtered according to query
parameters
those (optional) query parameters being:
briefRepresentation (boolean);
email (string);
first (string);
firstName (string);
lastName (string);
max (Maximum results size (defaults to 100)) (integer);
search (A String contained in username, first or last name, or email);
username (string).
As you can see you cannot search for custom attributes. A not so great solution is to get all the users (max=-1), and filter afterwards by the custom attribute.
The other option is to extend Keycloak functionality by adding your own custom Service Provider Interfaces (SPI) and adding your custom endpoint. There you can take advantage of the searchForUserByUserAttribute method from the UserQueryProvider interface.
Is it possible to store multiple credentials for a given user in Keycloak?
They don't need to be all active/enabled at the same time. The use case for us is rather that we want to store new credentials in advance but don't want to have them active yet. They should be activated/enabled at a later time after some manual user verification.
The Keycloak REST API documentation states that UserRepresentation indeed comprises an array of CredentialRepresentation but in my few tests the GET call wouldn't even return a credentials attribute.
I would say that's impossible to have more credentials for a user.
But you can always implement your own user storage SPI that implements interface CredentialInputValidator, where you can check for the valid password.
Let's say in your DB, you have 2 colums for passwords: pas_col1 and pas_col2, and 1 more column as flag, which tells what column is used for user authentication, so in isValid(RealmModel realm, UserModel user, CredentialInput input) method you can check for your conditions.
Link to SPI: https://www.keycloak.org/docs/3.4/server_development/index.html#_user-storage-spi