What could be the better approach to integrate pentaho-ce and keycloak. Currently we are working around spring security and a keycloak adapter but we are stuck.
Keycloak adapter is deprecated: https://github.com/keycloak/keycloak/discussions/10187
See this alternative for OpenID resource servers (REST APIs): https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials/resource-server_with_oauthentication
Related
I have an existing JSF application that is secured by a CAS Server (version 3.5.3).
Due to customizations I am not able to update the CAS Server to a new version. So there are no OIDC, OAuth2 or other state-of-the-art protocols available. Only CAS and an early version of SAML I think.
I would like to establish SSO to an external Keycloak of a service provider. They want me to set up an internal Identity Provider that connects to their external IDP.
I have done this before with Keycloak, but in that old case my internal Keycloak has been the single point of authentication. This time it's CAS.
Is there a way to pass the authentication from CAS 3.5.3 to my internal Keycloak without logging in again?
I have thought of implementing a Custom User Storage Provider SPI to connect to my existing user database. But then I would have to log in again to my Keycloak. Is this true?
Is this achievable by implementing the CAS protocol to my internal Keycloak using an CAS Extension? I think that this allows Keycloak to crate a client using CAS protocol, but not to SSO by an existing CAS server and the user has to login to my Keyloak. Please correct me, if I'm wrong.
Is there a way to pass the authentication from CAS 3.5.3 to my internal Keycloak without logging in again?
No, and if there is one, it will require LOTS and LOTS of coding and development. If you're not able to upgrade, you most likely will not be able to make such changes anyway.
There is an plugin for external SAML2 authentication here, which should allow CAS login requests to be redirected to an external SAML2 IDP:
https://github.com/UniconLabs/cas-saml-auth
If your keycloak supports SAML2, maybe this can work. Note that the plugin has not been touched since 2016, and there is no support for it from anyone. You will be 100% on your own, if you decide to go with it.
I am using jBPM standalone to create workflows. By default, login is performed using the users.properties file.
I have an Identity server (created in Dot Net IdentityServer4 implementing OpenId) running and I registered a client (Ex: JBPM_CLIENT) and have the details (Scope, SecretKeys, etc..)
I am trying to redirect the authentication of jBPM through that Identity gateway.
While reading the documentation I thought KeyCloak can be used for this requirement.
But, when I see the KeyCloak GUI and configuration, it looks like KeyCloak something like IdentityServer4 and is useful to create an Identity Server instance.
My doubt is whether I can use KeyCloak as a client to connect to IdentityServer4?
Please suggest me a route.
Keycloak can act as an identity broker and it supports OIDC (OpenID Connect) identity providers. Using that capability, first configure your IdentityServer4 as the OIDC provider on Keycloak. Keycloak's documentation covers these details.
Once that's set, you can configure jBPM to use Keycloak client adapter for Wildfly and then create a suitable Keycloak client under the same realm where you had configured the OIDC identity provider. Details related to that are covered in this blog (outdated though).
we are using konghq as an API gateway for one of our customers but we are very new to it and therefore don't know how to tackle this authentication issue.
We have to authenticate our services with a SAML token. Our micro services are behind kong which is running on an EC2. The authentication process should be an independent micro services which validates the token from the request and it’s contents against another system. Instead of a service it could also be some serverless function on a k8s cluster. We don't want to use a lambda to stay cloud agnostic.
We were previously using AWS API gateway and lambda authorizers to tackle the scenario. The authorizer validated the token and took care of the authentication process.
I searched all the Kong forums and google but couldn't find a SAML plugin. Most similar is the JWT plugin but it won't work for us.
Is there something similar in Kong or is there development on Kong involved? If yes, are there any existing plugin which are similar or any tutorials related.
All help is greatly appreciated.
Thanks
Oldfighter
I've successfully been able to secure a Spring Boot REST service using the keycloak Spring Boot adaptors and a Keycloak identity provider. However we now wish to attempt the same thing thing without using Keycloak adaptors but using Oauth2 directly. This is so that we can potentially connect to any identity provider in the future. I've tried various approaches but so far have had no success.
Has anybody been able to secure a Spring Boot REST service using the KeyCloak identity provider with Oauth2 rather than the Keycloak Spring Boot adapters?
I've been dropped into a hot potato project...an external entity produced a SOA architecture and we need to implement it now.
Using Drupal as a CMS and starting point of the architecture.
Here's what I think we need to do:
Authentication server
People register through the drupal site. We'd like to reuse the identity created for other (future) services, through a REST API
a) Can I add users to WSO2 Identity Server via a (REST) API?
b) Can I query WSO2IS to authenticate users via a (REST) API (creating a SSO env)?
c) Can I create re-usable profiles in WSO2IS, accessible through a (REST) API?
d) Can I authenticate drupal access via WSO2IS through a (REST) API?
e) Can I query the XACML policies via a (REST) API so that access to a requested service can be evaluated?
Other REST APIs we're going to build would use the OAuth functionality of WSO2
The architecture mandates each an authentication, a profiles and a policy (authorization) with XACML (...) module. The alternative is to build it all ourselves but I think we won't have the time for this, but I need to understand if we can do the above mentioned things to make a decision if WSO2IS is a good choice for our needs.
I have read the available documentation, browsed the help system, installed WSO2IS and checked out the interfaces, but couldn't find the responses. The only thing I managed to do is create the OAuth server.
Please find my answers..
a) Yes.. WSO2 Identity Server supports SCIM which is the standard approach for identity provisioning. Also there are web service APIs, that expose user management functions. You can front those web service API using WSO2 APIM and can expose as REST API.
b) Yes.. Apart from REST and web service API, Identity Server supports for authentication methods such as SAML2SSO, OpenID, IWA and so on.
c) Yes.. same as a) you have both options SCIM or Web service API fronted with APIM
d) There is an authentication framework in the WSO2IS, that users can be authenticated with different server.. Basically WSO2IS can act as federated IDP that application knows only to talk to WSO2IS.. WSO2IS can authenticate users from any other IDP, It can be drupal as well
e) Yes.. XACML is supported by WSO2IS... Its PDP API has been exposed via web service API.. but not as a REST API.. but as i mentioned earlier, you can expose it as REST using APIM. However REST support for XACML would be available with the further release