We have integrated KeyCloak server with Azure Active Directory as Identity Provider for SSO Login.
Log-in is working fine. However we facing problem with log-out, When user logs-out from web application, from our backend server side code we are making REST call to Keycloak server for below API.
https://keycloaktest:8443/auth/realms/<realmName>/protocol/openid-connect/logout
for this REST call we are getting 204 status code as response.
However when User tries to log-in in application again from browser it does not ask to enter credentials (active directory credentials).
In order to log-out User. We have access below URL
https://portal.azure.us/#home
and click log-out there.
https://portal.azure.us/Account/SignOut
Is there anyway to achieve this in backend i.e. when User clicks logout from browser
Just ran across this myself. The answer provided here: Logout user via Keycloak REST API doesn't work worked for me. Try adding client_id and refresh_token to your /logout request.
Related
I have a webapp that uses Keycloak for user management and auth provider successfully.
The same application requires a CLI tool for some operations (similar to the gcloud CLI + web console).
I've implemented the CLI part using the OIDC Authorization Code Flow that opens the browser for the user to authenticate. It works like a charm.
However, if the user logoff from the browser, Keycloak will invalidate the session and the cli will have to re-authenticate to get a new access_token and refresh_token.
My question here is, how can I force the CLI app login to create a new session separate from the browser session.
Or, if not possible, what's the correct way of achieving this?
Eventually, found out that I just have to add the scope offline_access to the list of scopes I am requesting. Keycloak will then create a new offline session (bad name for the feature, Offline just means that the user doesn't have to be present, but all the refreshes happen the same way)
https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/sessions/offline.adoc
What I want to do is this:
I have keycloak integrated with my application. So when my app is launched , keycloak login page is shown to user. Now , I am trying to provide an option to login with PingFedrate. So a button to login with PingFed appears(once a new SAML provider is configured in keycloak). On PingFedrate I tried to integrate SP inititated SSO:
I added a new SP connection and there I configured it as SSP initiated SSO. (It forced me to configure SOAP Authentication , where I selected basic and configured random username password). Then I downloaded metatdata.xml from this SP and imported in keycloak which autofilled the login url as : https://myserver:9031/idp/SSO.saml2 (i.e. without client id). After this when user clickon Login with PingFed - PingFed gives following error:
Unexpected System Error Sorry for the inconvenience. Please contact
your administrator for assistance and provide the reference number
below to help locate and correct the problem.
I found the solution to this.
Firstly, we need to add SP inititated SSO in Pingfed for keycloak.
Secondly, the reason I could not make SP inititated SSO work was that keycloak's entityId should be same as Pingfed SP connection's Partner's Entity Id / Connection Id.
Keycloak, by default keeps entity id equal to url of keyloak server containing your realm. E.g
https://(keycloak-server)/auth/realms/(realm-name)
(and I could not find a way to change it through Keycloak UI)
You need to enter this URL in Pingfed.
To avoid adding this manually, you can download the keycloak config from download export tab of identity provider.
And on Pingfed , import this file.
On a side note, though I was importing it earlier, I was changing value of Partenr id to some other name as I was not aware of above restriction until I started decoding the SAML tokens in request.
I'm working with Keycloak 3.4.3
I'm following this post https://www.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered-identity-provider-in-keycloak.html to configure my application to login with AD FS with SAML protocol.
My setup is an Angular 5 UI using the keycloak-js adapter. When the app starts I launch Keycloak.init({ onLoad: 'login-required'}) method for making the Keycloak login page appear. right now I'm able to login using email and password or by clicking the SAML SSO button and login through the AD FS login page.
What do I want to do? I want Keycloak to trigger the SAML SSO before showing the login screen, I mean, if in my pc I'm logged with and AD FS account I want Keycloak to log me in directly with this account and only get me to the login page if I'm not a member of the AD FS so I'm could be able to login via email and password.
Regards
It's possible to use GET request with kc_idp_hint param, and trigger SSO workflow manually:
GET /myapplication.com?kc_idp_hint=facebook HTTP/1.1
Host: localhost:8080
https://www.keycloak.org/docs/1.9/server_admin_guide/topics/identity-broker/suggested.html
I downloaded WSO2 IS, took care of all the prerequisites and started it using "wso2server.bat --run" command.
It's running and I am able to configure it in Management Console as Identity Provider (SAML 2.0). I also added my app as Service Provider (SAML 2.0). SSO seems to be working - I navigate to my app, it redirects to WSO2 IS where I log in using default admin/admin. I am then redirected to assertion service in my app when I am authenticating a user. Everything great so far!
The problem is that when I close the browser (using incognito mode) and try to repeat that process and login to WSO2 IS using the same user (admin/admin) I get error message:
"Login failed! Please recheck the username and password and try again."
I also get similar message in console:
[2018-02-08 15:57:39,258] ERROR {org.wso2.carbon.identity.scim.common.listener.SCIMUserOperationListener} - Trying to login from an inactive account of user: admin
How is that possible? It looks like the second I use given user during SSO process - that account gets deactivated. I can't even login to WSO2 IS Management Console.
I did not change any configuration other than mentioned above.
I would appreciate any help.
I am new to CAS and single signon. Please correct me if my understanding is incorrect, below if what I understand about CAS.
I have 2 web applications
I setup CAS, and when I access URL of WebApp1, it shows me the CAS login page
I fill correct username/password
It takes me in WebApp1
From there I access WebApp2, and it works fine
What I need is as follows:
When I access WebApp1, I must see WebApp1 login page, not that of CAS
Let CAS generate some token for the session
Use this token to authenticate WebApp2 (which the way its working now - step 5 above)
Can someone suggest me how to achieve this?
I am using Java 1.6, CAS 3.4.11, Tomcat 6.
I've made a summary recently on how CAS works.
The principles are written there. Basically it is like this
Access The WebApp1
Show the CAS login page and authenticate
redirect to WebApp1
Now subsequently you do the following
Access WebApp2
the access request is redirected to CAS which without showing a login page authenticates the user
Always under the assumption that both WebApps are configured to use CAS as a login provider and CAS is setup to support both WebApps.
Now in the CAS way what you want to achieve is done like this:
exchange the standard CAS login page with your login page and your done