Our application offers two login options, via qrcode or via email and password.
For this we have two keycloaks each with a configured Realm.
In the first keycloak we have a client with login via qrcode, which will be an identity provider for the second keycloak.
In the second keycloak, we have a client with login via email and password. In this keycloak we have the identity provider as mentioned above.
Authentication is already working, our problem is in the browser session time, depending on the type of login performed.
We want to have a session time when logged in via qrcode and another session time when logged in via email.
But apparently the only session time the keycloak is using is the SSO Session Max of the second keycloak, regardless of the type of login done.
Is it possible to configure each realm so that each authentication mechanism has a specific session time?
Related
I have a sample application created using node js and passport saml strategy for testing SSO with pingFed.
I intend to use SP initiated SSO and created my SP connector in pingFed.
I can successfully login using pingFed and Directory server. However what I observe is every time I try to hit login URL from same browser session I get login prompt. As per my understanding PingFed will create PF cookie and track session and will not prompt me for login.
As verification I verified that my first redirect request http:///idp/SSO.saml2?SAMLRequest= is without PF cookie.
Subsequently when I am hitting /login in my domain , above redirect happens with PF cookie set in request. In spite of that I am always getting login dialog. I am expecting pingFed to use PF cookie and should not try to re-authenticate the user but should exchange SAML token as user already has session established and it is identified by PF cookie.
Is there some gap in my understanding?
(Background: I am trying to use my website hosted on wix as a simple identity provider so my members can access a separate sveltekit app I am creating--without logging in again--on a separate server because I do not think I can create the app on the wix platform. Basically I just need the user id, but I would like to also ensure they are in fact authenticated on my Wix hosted site before granting access).
In multiple pages explaining single sign on, it is explained that when my browser requests a protected resource from a web server, the server can (if it is configured to do so) verify my identity via a separate identity provider. This is done via a redirect to the identify provider. If I am not authenticated by the identify provider, I am asked to authenticate (by entering username and password, or whatever).
Once I am authenticated (by logging in or by verifying the presence of a valid session id on the identify provider's server from a prior login), the identify provider then "redirects with token" or a "token can be passed to the original domain by a redirect" according to these web sites I have encountered.
But what does it mean to "redirect with token"? This conflicts with other reading I have done which points out that redirects cannot have authentication or other headers or data associated with them.
How does it come to pass that (1) the web server I made my original request from gets my token from the identify provider while at the same time (2) returning my requested resource to my browser instead of back to the identity provider's server?
"Redirect with token" is a common method used in single sign-on (SSO) systems to authenticate users. In this method, when a user tries to access a protected resource on a server, the server redirects the user's browser to the SSO login page, along with a token that identifies the resource being accessed and the server that is requesting authentication.
The user then enters their login credentials on the SSO login page. If the credentials are correct, the SSO system authenticates the user and sends them back to the original server, along with a token that indicates that the user has been authenticated. The server checks the token to confirm that the user has been authenticated, and if the token is valid, the user is granted access to the protected resource.
Redirecting with a token is a secure and efficient way to authenticate users across multiple servers, as it allows the servers to rely on the SSO system to authenticate users and eliminates the need for each server to store and manage its own set of login credentials.
We have our own CRM portals and we want to offer OpenID based User authentication and authorization.
To achieve this we have decided to use Keycloak.
The flow we formalized is below and we are stuck due to may be not knowing much of the configurations inside Keycloak or may be its not possible.
User visits our existing CRM login page where he/she provides the username and password.
On click of Login the keycloak custom Identity provider should authenticate the user
Keycloak should receive the authentication success response and generate the JWT token
User is redirected back to CRM dashboard with the help of redirect_url configured in custom IDP.
What we have done till now,
Created a custom IDP inside Keycloak.
Configured all endpoints in this custom IDP
No custom authentication flow yet, all defaults i.e. First login flow is set to 'first broker login'
Challenges we are facing currently,
User on our CRM login page (Not the keycloak login form) and click on login button
The Keycloak login form is shown to user. We dont want any keycloak login pages. but instead the custom IDP endpoints should be executed and a JWT is returned back to redirected CRM application.
Is this possible to achieve the flow I mentioned above?
You need to adapt the browser Authentication Flow
Authentication -> Flows -> Browser
There you find the Identity Provider Redirector. Click Configure and specify a Default Identity Provider (you need the alias of your IDP there)
Normally all available IdentityProviders are listed beside the login form. But if a DefaultIdentityProvider is configured, KC immediately redirects to the external IDP.
I have a setup where Keycloak is acting as an identity broker. There are two Oauth2.0 Identity Providers configured in Keycloak.
A user goes to my app, is forwarded to Keycloak and is presented with two buttons. These buttons can be used to either authenticate with IdP 1 or IdP 2. Once the user is authenticated, keycloak will receive the JWT token and will issue its own JWT token to the client, enriched with claims from the JWT token received from the selected IdP. So far so good.
Now I have the usecase where my app will be embedded in another CRM platform. Let's say this CRM platform uses IdP 1. So a user is able to access the CRM and will authenticate through IdP 1. Then, the user can hit a button and get directed to my app. Of course we don't want the user to authenticate again with the same IdP but now first by going through Keycloak.
My question is, is there a way to let Keycloak use the IdP 1 token the user received when accessing the CRM platform in a way that Keycloak will enrich it and issue a JWT token just as it is done when the user would authenticate through Keycloak?
Consider implementing custom Authenticator that will sign on in Keycloak users that come from CRM. Our goal is to initiate SSO session in Keycloak.
Assume that when user hits button in CRM to got to your app, Keycloak will have access to some data provided by IDP1 that could be useful for identifying which user perform such action. So here we go:
User hit button "go to app"
User comes to App
App redirects user to Keycloak for passing the authentication
Your own custom implementation of Keycloak Authenticator will utilize information from IDP1 (you could utilize mentioned JWT token somehow)
Now SSO session in established and Keycloak redirects user back to your application
???
Profit
Also note that your will have to solve potential problem of session idle synchronization between Keycloak and IDP 1.
Keycloak development guide
I am implementing a SSO using SimpleSAMLPhp Service Provider.
I provided my metadata to remote Shibboleth Identity Provider and was provided a test account.
When a user visits a specific page on my SP, they get redirected to the IdP, login, and are redirected back to my web site with a bunch of IdP provided attributes. This part works.
This part I am struggling with.
If the user authenticates with the same IdP through a different Service Provider and then visits my page, how do I know they are already authenticated? Currently I am being asked to login again.
Is there a configuration value somewhere that lets me do this? Or am I using the wrong method? This is what I am doing.
$as = new SimpleSAML_Auth_Simple({REMOTE_AUTHSOURCE});
$as->requireAuth(); // this redirects to remote IdP login
$attributes = $as->getAttributes();
Thanks.
There are two separate authentication sessions to consider. One session is in you app and the other is at the IdP. The requireAuth method can tell if the user already has an authenticated session in your application, and will return immediately in that case.
There is no way for you to tell if a browser has a session at the IdP. You just call requireAuth whichs send the user there and if the IdP decides the user's session is still valid it will respond without prompting for login.
Are you saying that the user has a valid session at the IdP and they are being re-prompted to authenticate when you send the user there? That could be due to IdP policy, or if your app was sending something like 'forceAuth' in its AuthnRequest.