I configured gerrit as per the documentation https://gerrit.googlesource.com/plugins/saml/
I am able to successfully login at OKTA, but gerrit is redirecting to login page. I am not sure which attribute is causing this redirect.
No logs for SAML plugin.
Related
Situation
For my web application, I have set up a keycloak (v18.0.0) realm with an external SAML IDP.
After successfully logging in, the application is using its own cookies (I can't change this since this is an external piece of software) and has a logout endpoint to destroy those cookies when visited through the browser.
In the corresponding client configuration, I set a front-channel logout URI to be called by the browser whenever a logout is triggered from the IDP.
Problem
When triggering the single sign-out from keycloak itself using this "https://baseurl/realms/my-realm/protocol/openid-connect/logout"`, keycloak successfully logs out from the IDP and destroys its own cookies but does not redirect to the front-channel logout URI, which leaves the app in a logged-in state. I tested this without an IDP enabled and it logged me out from my app.
Question
How can I force keycloak to trigger the front-channel logout URI on a single sign-out request?
I’m new in the Keycloak’s world and I need some help to configure my login flow.
I’ve configured Keycloak to allow people to login with their ADFS account or with a ldap account.
ADFS Identity Provider is configured to use OpenID Connect.
When people connect to my application, they are redirected to Keycloak where they see a login form and a button to login through ADFS.
This work perfectly, but we would like people not to see that screen if they are already logged in on ADFS and only see the login form if they’re not connected in ADFS.
I changed the browser flow to use the Identity Provider Redirector first and then display the username password form, in this case the user is automatically logged in via ADFS, but if the user is not logged in, ADFS asks for a password and the user is not redirected to Keycloak .
Do you know how can we configure Keycloak to implement that flow?
I’m using Keycloak 11.0.0-alfresco-001 (keycloak 11 packaged by alfresco (as alfresco-identity-service) with a custom theme. The code is available on Alfresco’s github .
Here’s my browser flow configuration:
IAM Browser flow
Thanks for your help
• Yes, its possible to configure keycloak to implement the desired flow as a brokered IdP in the following way: -
While configuring ADFS in keycloak and importing its federation metadata file in it, check the settings and enable validate the signature option for the authentication requests to be sent to ADFS, also enable ‘Want AuthnRequests’ signed option. Afterwards, set the signature key name field to CERT_SUBJECT as AD FS expects the signing key name hint to be the subject of the signing certificate.
Then check the mappers for group and attribute claims in keycloak for transforming the details through SAML assertion to keycloak user store.
After that, check the descriptor URI that needs to be set by modifying the ADFS redirect URI by adding the ‘/descriptor’ to the redirect URI in this field. The URI will be like ‘https://kc.domain.name:8443/auth/realms/master/broker/adfs-idp-alias/endpoint/descriptor’.
Also, please ensure that the signing certificate for the keycloak in ADFS claims provider is not self-signed and is issued from a trusted third-party CA and installed in the server’s local system certificate store.
Disable certificate revocation check for the certificate installed on the Adfs server and ensure ‘backchannel logout’ option is checked in keycloak
• Once the above settings are checked thoroughly, the default login redirection page should be displayed after that and the user should be able to select the IdP from the login page accordingly.
Please find the below links for more information: -
https://www.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
Keycloak AD FS Interaction
I am using Keycloak as a broker with OIDC, connecting to 3rd party IdP. Client app (Welcome page) calls Keycloak, then Keycloak redirects to Idp login page. We have a following requirement:
1) User1 bookmarks Idp Login page. User1 logs in using IdP login page. On successful authentication IdP calls iodc endpoint and Keycloak redirects User1 to client app.
2) User1 closes browser without signing out
3) User2 opens a new browser using bookmarked page, enters credentials and on successful authentication calls back Keycloak.
At this point, I want to kill User1's active session and allow User2 without showing any error at Keycloak side (As if User1 was signed out and User2 logs in). Keycloak should redirect User2 to client app.
Please suggest if this can be done using SPI?
Thanks in advance.
we have implemented a vaadin application using latest 14 LTS version of Vaadin and integrated with Keycloak 8. The configuration works and when we first start the application the user is forwarded to keycloak login page and then redirected to vaadin app.
When keycloak token expires, the application doesn't redirect to keycloak as it runs in background a heartbeat ajax request and tries to redirect to keycloak login page. We first getting a CORS error from keycloak which some how can be resolved from Keycloak I assume, but even though this work, the redirect doesn't redirect us to keycloak login, as it is ajax request
When we inspect the page we have this flow:
Heartbeat URL
URL: http://localhost:8090/?v-r=uidl&v-uiId=3
Application Login Page
URL: http://localhost:8090/sso/login
Keycloak Login URL
URL: https://keycloak_url/auth/realms/htp/protocol/openid-connect/auth?response_type=code&client_id=web&redirect_uri=http%3A%2F%2Flocalhost%3A8090%2Fsso%2Flogin&state=6ed652f2-dd7e-4398-bc60-798f6d055f69&login=true&scope=openid due to access
and the result is a not a json response in a window in application having the keycloak login form instead of redirecting
Any idea how to solve this issue?
Ping Federate Logout From IdP flow as from the Ping Federate Documentation
Sequence
User initiates a single logout request. The request targets the
PingFederate server’s /idp/startSLO.ping endpoint.
PingFederate sends a logout request and receives responses from all
SPs registered for the current SSO session.
PingFederate redirects the request to the IdP Web application’s
Logout Service, which identifies and removes the user’s session locally.
The application Logout Service redirects back to PingFederate to
display a logout-success page.
But, I have a slight problem regarding the application Logout Service , which needs to set at IdP adapter configuration.
The problem is i have dynamic logout URL , due to which i can't use it in the Logout Service.
Currently i am trying to initialize the IdP initiated SLO. For which i am passing TargetResource to redirect user to IdP after SLO success.
https://idp.pf.com:9031/idp/startSLO.ping?PartnerSpId=testSpId&TargetResource=http%3A%2F%2Fdynamicsubhost.baseurl.com%3A8080%2Fweb%2Fmy-bank%2Flogout
Question :
So how can i rig the PingFederate setting to skip the Step 3 , so instead of redirecting to the IdP Logout service it redirects to TargetResource.
What i have tried :
I know it sounds cheesy , but actually i kept the IdP logout service to blank. But obviously it wasn't working.
P.S The awkward thing is when i was using same PF server for
configuring both IdP and SP server it was working well. But when i
switch to separate instance of PF server for hosting the PingFederate
Server the consequence is showing up.
You may add the "resume" parameter in your logout service redirect. This is how I implemented it in .NET. I have a web service that handles the SLO and calls this redirect:
Context.Response.Redirect(< SP Server DNS > + Context.Request("resume").ToString(), True)
This redirect will instantiate the Logout service and then redirect back to the value of the targetResource parameter that you specified when you called the logout service.
If your targetResource does not have a value the default SLO URL will be used (this is set in the Admin Console: SP Configuration > APPLICATION INTEGRATION SETTINGS > Default URLs)
For reference: Just review the implementation of the sample application that you may download here
https://www.pingidentity.com/content/dam/pic/downloads/software/integration-kits/-NET-Integration-Kit-2-5-1.zip