I want to prevent IdP users from being saved to the Keycloak local storage when they login.
Is there some sort of switch in the admin console that prevents IdP users from being saved to the Keycloak local storage?
Or how can I achieve this programmatically?
Related
I have an SPA web app using openidconnect for authentication and authorization with local keycloak.
This app is now moving to an windows onprem infrastructure using AD, kerberos tickets and a central SSO.
users log in in their windows session, and then we shall be able to transparently login in our SPA web app. (ie with out entering credentials)
How can I convert kerberos ticket/authentication into Openidconnect world? Where is the magic?
Shall we add some kerberos in our app?
how can we retrieve our access token containing the user role?
thanks
Your SPA should continue to talk to Keycloak using OIDC, and no code in the SPA should need to change. Your APIs will also continue to receive the same access tokens.
You should only need to configure Keycloak to use AD for authentication as an LDAP data source. Here is an article on how to do that. It is an infrastructure job rather than just a coding one, so I would recommend collaboration with AD administrators on the environment setup.
AD is only one possible authentication method, and by doing things this way you keep your options open. You are likely to need to perform account linking, eg to identify users the same before and after the migration. There may be some data setup involved here, eg ensure AD has the same emails as the existing system.
Our application has it's own login/signup and user management portal. We don't want to redirect the user to keycloak login page, due to which authorization code grant flow is out of the picture. I am trying to find a way to use spring cloud gateway's TokenRelay filter with password grant.
I've configured a SPA application with a Azure B2C user flow to sign in on my SSO (based on Keycloak) using OpenId. Then I've configured another application with a Azure B2C custom policy to sign in on the same SSO, but using SAML.
I have another application on AWS directly connected to KeyCloak with another client.
The user can authenticate on both my Azure B2C, then navigate to the KK app, where the user is already authenticated.
This is not happening in the other way. If the user authenticate on the KK app the session isn't shared with the AzureB2C apps and he has to do the login again. Likewise the session is not maintained between the two AzureB2C applications.
My custom policy is based on SocialAccounts of MS Starter Pack. And this is my UserFlow session configuration.
Any suggestion on what I'm doing wrong?
As per Keycloak documentation when the user is logs in through identity brokering, Keycloak checks and creates user in realms local database as part of First Broker Login Flow.
Is there a way to disable user onboarding in Keycloak local database and always check for the authentication from IDP instead of local database?
And what is the rationale behind this default Keycloak implementation as there are some basic issues like user data synchronisation between Keycloak and IDP?
I have a client application (windows) which the user is logged into. From this application, the user will want to access a remote website using single sign-on (SAML) and will be authenticated by Microsoft WIF. To do this the user, will click a button which opens a local web browser, generates a SAML token (containing username and roles, etc) and makes a HTTP POST to a remote website to access it, signing them in.
I want the user to be signed-in automatically, based on their credentials from the windows application.
I know roughly how to generate the SAML token, but presume this requires the signing certificate to be installed on the local PC, which would need to be installed into all PCs in my Company.
Installing this certificate doesn't seem quite right. How else can I safely allow users to generate a SAML token which will be accepted by the Service Provider (via single sign-on)?
UPDATE:
The user is not authenticated into the Windows Application using Windows Authentication (Kerberos), we make a custom SQL call to a database of username/password.
In the win app, we will know the username and their roles, so could generate claims from this, or pass it to a remote STS to generate and sign the SAML token. But again passing this data across to the STS seems totally wrong again.
The signing certificate must not be on the user desktop. Otherwise, any user could potentially generate a SAML token with the userid it wants.
What you want is a Secure Token Service (STS): an identity provider that will authenticate your user through Kerberos (as you want to re-use the identity of the logged-on user) and give you a signed SAML token.
All of this could be done when you open a web view in your application. The starting url should be the Identity Provider endpoint for IDP-initiated SSO, with a url parameter identifying the service you want to access.