I have several client applications behind my keycloak server.
Only for some of them the users should be able to login via external idp.
For the rest of the clients the external idp should be hidden on the keycloak login page.
How can I configure the idp to only be available for certain clients?
While I didnt found the actual solution I figured out a workaround.
I can configure a custom theme per client. So I designed a login theme that doesnt display the external idps.
Now some clients show the original theme while others show the custom theme without external idps...
Related
We have our own CRM portals and we want to offer OpenID based User authentication and authorization.
To achieve this we have decided to use Keycloak.
The flow we formalized is below and we are stuck due to may be not knowing much of the configurations inside Keycloak or may be its not possible.
User visits our existing CRM login page where he/she provides the username and password.
On click of Login the keycloak custom Identity provider should authenticate the user
Keycloak should receive the authentication success response and generate the JWT token
User is redirected back to CRM dashboard with the help of redirect_url configured in custom IDP.
What we have done till now,
Created a custom IDP inside Keycloak.
Configured all endpoints in this custom IDP
No custom authentication flow yet, all defaults i.e. First login flow is set to 'first broker login'
Challenges we are facing currently,
User on our CRM login page (Not the keycloak login form) and click on login button
The Keycloak login form is shown to user. We dont want any keycloak login pages. but instead the custom IDP endpoints should be executed and a JWT is returned back to redirected CRM application.
Is this possible to achieve the flow I mentioned above?
You need to adapt the browser Authentication Flow
Authentication -> Flows -> Browser
There you find the Identity Provider Redirector. Click Configure and specify a Default Identity Provider (you need the alias of your IDP there)
Normally all available IdentityProviders are listed beside the login form. But if a DefaultIdentityProvider is configured, KC immediately redirects to the external IDP.
I am using Keycloak to authenticate a user for a Vaadin application. The Vaadin application creates its own user session after successful authentication with Keycloak. I need the user to be able to change the password and email address.
Now I do not quite understand how to implement it correctly. There is a user Keycloak console that has this kind of functionality. But, for example, when a user changes their email address, the user is not prompted to confirm that new email address until a new login. Should I disable the Keycloak user console and e.g. use the Keycloak REST API directly from the Vaadin app to perform email/password changes? Or should I keep using Keycloak's custom console and configure it there?
What is the proper way to deal with such things with Keycloak? In case of Keycloak API I'd really appreciate the examples of API calls which should I perform in order to change the user password and email.
I have a service (SP) using Okta SAML SSO. I want to expose multiple landing pages of my service as separate tiles in Okta for IdP-initiated login. Can I create multiple tiles pointing to the same SP application, but with different default RelayStates? Is this a reasonable approach? Will it work with other IDPs?
No, it won't be possible, b/c for each of the applications created in Okta you will have a separate set of IdP metadata, which you won't be able to configure on SP side.
UPDATE: Actually after posting the answer, I double checked, that it MAYBE possible if you create all those applications through API:
they need to have the same IdpIssuer
after creating all of them you need to clone a certificate from one application to all Okta App API reference
I have not tried this approach by myself, but you may give it a try
I need advice about how can I use Vault login for web. I have set up Debian 8 server. On that server run web page (hashi-ui) for manage Nomad and Consul. Web page work and I can access it. But there is no login so everyone can access to this web page. So I need set up login and authenticate of users. I want use Vault that run on server too. I need result like if I access web page via web browser so after enter URL, web browser pop up login form (Like if you want call some REST and service need authenticate user, so web browser pop up default login form). I enable user-pass method in Vault. I set username and password, but now I do not know how to set up for this web page.
How can I set this user-pass method to authenticate user and then give access to web?
Thank you for any advice.
It's an unusual use case, I don't believe you can use Vault directly for it.
Perhaps with PGP, you could use a web interface to keep exchanging encrypted messages with an agent that can proxy your authentication, read, write requests somehow to Vault and transmit them back for you, preferably encrypted. Doing sealing, unsealing like this might be tricky, you might risk getting yourself locked out from sealing if the proxy agent is unreachable or refuses your requests.
I have configured CAS(v4.0.0) on Apache Tomcat and have multiple clients based on Java, Python and PHP.
What I want to achieve is when I logout from any one application and gets redirected to cas/logout, I want a popup to be opened with all the applications that particular user is logged in with and asks whether you want to log out from every application or not.
I am following the official documentation
http://jasig.github.io/cas/4.2.x/installation/Logout-Single-Signout.html
and found out Single Logout Per Service which allows me to control single logout behavior individually and I can control whether to allow a particular service to use Back Channel or Front Channel or turned off for that application but what I want to achieve is this -
1.Logging out all applications both from CAS and from browser dynamically on button click
2.Logging out a single application from CAS dynamically on button click, with all other applications having their sessions maintained on CAS server and on browser too.
3.Configuration to be changed in PHP and Python clients to handle the logout callback from CAS server.
Any help would be highly appreciated.
Logging out all applications both from CAS and from browser dynamically on button click
invoke /cas/logout. If SLO is turned on, all applications will receive a notification to logout. CAS will logout as well.
Logging out a single application from CAS dynamically on button click, with all other applications having their sessions maintained on CAS server and on browser too.
Well, you go to your application and you log out from the application. Why do you want to involve CAS? CAS is not responsible for maintaining your app and how it works. /app/logout should do the job.
Configuration to be changed in PHP and Python clients to handle the logout callback from CAS server.
You'll need to figure out if your clients support CAS SLO. If they do, they will proceed the SLO notification and kill the app session.