I have used Google has my identity provider in Keycloak application, I have created the identity provider by using the keycloak oidc and Google is showing up as sign in option on my console when i tried to login through the google the credentials is getting validated but while redirecting back to the actual page after identity validation I'm getting the "UNEXPECTED ERROR"
Related
I'm trying to set up SAML integration between Skyspark as service provider and keycloak as Identity Provider. I have done below,
Copy Skyspark SAML metadata xml and created a client in keyclaok with the xml file
Get the metdata URL from keycloak and added into the Skyspark SAML SSO
When I access skyspark it redirects to keycloak login page and showing an error Invalid requester. The backend has below errors,
ERROR [org.keycloak.protocol.saml.SamlService] (default task-4) request validation failed: org.keycloak.common.VerificationException: SigAlg was null
I tried with disabling Client Signature Required, It shows me the login page, But after successful authentication skyspark shows up SAML Authentication Failed. I see there is SAML response in the browser network tab.
Is there any signature validation issue at both ends? Should I do any other config apart from above ?
I am integrating AD B2C as Identity provider for the FreshWorks by configuring SSO with OIDC in the Freshworks.
Configuration done in the Azure AD B2C:
Registered an application in the AD B2C Tenant
a. Get the redirect URL from Freshworks SSO with OIDC and added in the Redirect URI in the registered application
b. Id Tokens and Access Tokens check box is selected.
c. Enabled the public client.
d. Generate the client secret for the application
Added Microsoft as external IdP in the AD B2C tenant. Only one external IdP is enabled, local account is not enabled.
Created a SignupSign User flow
Tested the User flow, able to signup and sign-in using Microsoft Account (personal account). JWT token is generated with the claims sub, email, name.
Configuration done in the SSO with OIDC:
Get the ClientId and Client Secret of the Application registered in the AD B2C tenant and added in the SSO with OIDC configuration dialog
Navigate to AD B2C signup sign-in user flow OIDC configuration url and get the authorization_endpoint and token_endpoint, added those two in the SSO with OIDC configuration dialog
set the scopes as openid,email,profile
After doing all the above configurations, a new button is added in the freshworks login page. I have clicked that button, it navigates to the microsoft login page, after providing credentials and accepted the consent, it shows a form with profile information.
On clicking the continue button an account is created in the AD and redirected to the Freshwork page. It shows the below error in the freshworks login page.
The authorization code request is working, AD B2C post the authorization code to the freshwork redirect url. I hope the issue is with the get access token endpoint URL. I have tried the Get access token endpoint from the postman using the authorization code received from the first request, it gives the access token.
The postman screenshot mentioned is showing the IDToken and your freshworks application expect access token. Could you please validate the user flow with access token settings and also use the postman tool to get the access token. Please follow the below document for more requests.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect
I am getting an error when I try to login to Keycloak by using it as a broker.1 I am using credentials from another keycloak instance to login. So far, I am redirected to the correct login page but after entering my credentials I receive an error.
I have set up Keycloack Identity Brokering on computer 1 by following the basic steps.2 I have used the generated redirection URI of the broker to register a new client on computer 2 in another Keycloak instance.3 The client configuration present on computer 2 4 is then used to fill in Authorization URL, Token URL, Client ID and Client Secret on the Identity Broker on Computer 1. 5
I may be leaving important fields missing. Pictures are attached for reference.
I have changed some settings to get the broker to work with the other Keycloak instance. I am now sending client secret as basic auth with signed verification off. I have also enabled back-channel logout. Hope this helps someone else.
I fixed this problem by regenerating the client secret on the identity provider side and using it on keycloak. The keycloak realm data import was not working very well for me apparently.
In my case I needed to empty the hosted domain field in the "Identity providers" configuration of my Google identity provider in Keycloak.
See also:
Keycloak Google identity provider error: "Identity token does not contain hosted domain parameter"
I downloaded WSO2 IS, took care of all the prerequisites and started it using "wso2server.bat --run" command.
It's running and I am able to configure it in Management Console as Identity Provider (SAML 2.0). I also added my app as Service Provider (SAML 2.0). SSO seems to be working - I navigate to my app, it redirects to WSO2 IS where I log in using default admin/admin. I am then redirected to assertion service in my app when I am authenticating a user. Everything great so far!
The problem is that when I close the browser (using incognito mode) and try to repeat that process and login to WSO2 IS using the same user (admin/admin) I get error message:
"Login failed! Please recheck the username and password and try again."
I also get similar message in console:
[2018-02-08 15:57:39,258] ERROR {org.wso2.carbon.identity.scim.common.listener.SCIMUserOperationListener} - Trying to login from an inactive account of user: admin
How is that possible? It looks like the second I use given user during SSO process - that account gets deactivated. I can't even login to WSO2 IS Management Console.
I did not change any configuration other than mentioned above.
I would appreciate any help.
I'm trying to connect a Spring App Keycloak, but I get this error:
After I enter to my app, and I was redirected to Keycloak for authentication, I receive an error in my browser:
192.168.1.66 redirected you too many times.
Full url
URL: http://192.168.1.66:9092/keycloak-sp-example/sso/login?state=139%2F1ed115fb-4d4f-468c-9a72-845f9cfa9cdb&code=PVGhg5X28G8fjNt36tMGHTJIP7CQdHOhoK4XhPgUh3E.2d885db5-5c4f-43b1-9095-305494718a97
And, in the console, I got:
ERROR org.keycloak.adapters.OAuthRequestAuthenticator - failed verification of token: Token is not active.
It's a bug? Or is anything that I should configure in the console?
I found the problem, I was testing the product in a virtual machine without the correct time zone configured.
Try to sync the server timing of Keycloak and application server or else increase the access token life span which is not recommended.