I am having issue with Guacamole server where I cannot logout of the web session once I am logged in. We use Keycloak for identity management and Guacamole server for RDP sessions. The versions on both application is fairly latest but had this issue for long time since the inception. Search google but unable to find any fix however there are people who already experienced similar issue. Apart from logout issue everything functions without any issue. Couple of errors I can see on the browser is shown below:
RROR on browser:
{
"message":"Session not associated with authentication provider \"openid\".",
"translatableMessage":{
"key":"APP.TEXT_UNTRANSLATED",
"variables":{
"MESSAGE":"Session not associated with authentication provider \"openid\"."
}
},
"statusCode":null,
"expected":null,
"type":"NOT_FOUND"
}
I think, I have found what is the reason for not working Guacamole logout - it is Keycloak SSO. It uses cookies for keeping users logged in.
What you need to do:
Go to the realm -> Authentication -> Flows -> Choose the flow you use from the drop-down list, usualy it is "brwoser" or clone of it -> Authentication type "Cookies" set to Disabled.
If you need to keep SSO - limit time in the Realm settings.
Try now.
Related
I'm currently working on a flutter/dart-based webpage (not an app). Now I came to the point that I want the web page to open only if the user has authenticated on my cloud-based Keycloak Server (cloud-iam.com).
There are some openid-connect client packages for flutter available, but most only work for google firebase/aws.. and some others are only working for apps, others are already outdated.
For now, I simply want to use the login frontend offered by the keycloak server.
But I totally failed to bring the available openidc packages to a success... :-(
Does anyone have a suitable package and a reference flutter/dart-application how to authenticate a user using an oidc-identity provider (i.e. keycloak?)
Thanks!
You can try keycloak_flutter package which handles keycloak user authentication for the flutter web only
https://pub.dev/packages/keycloak_flutter
As per this package example
https://github.com/gibahjoe/keycloak_flutter/tree/master/example
you can provide you keycloak realm and clientid details, it'll navigate to your keycloak server for login authentication after that you can allow your app to use the token details provided after login
We are using Keycloak 3.4.0 / Keycloak.js in our single page app. Keycloak stores its data within a MariaDB.
When I restart the Keycloak server (NOT MariaDB) and refresh my single page app I am redirected to the login page. I thougt that Keycloak stores all tokens within its database, shouldn't these tokens still be valid after a restart? Or is it expected that all sessions are logged out?
Do I have to use offline tokens to support this scenario?
The offline token is valid even after a user logout or server restart.
https://www.keycloak.org/docs/3.4/server_admin/index.html#_offline-access
This is written by one of the members of the Keycloak development team:
The JPA user session provider was
dropped (performance was horrible so we deemed it unusable). The user
session persister is only used for offline sessions, they survive a server
restart.
So yes, it seems like they removed it because of performance related issues. Here you've got the whole thread.
I downloaded WSO2 IS, took care of all the prerequisites and started it using "wso2server.bat --run" command.
It's running and I am able to configure it in Management Console as Identity Provider (SAML 2.0). I also added my app as Service Provider (SAML 2.0). SSO seems to be working - I navigate to my app, it redirects to WSO2 IS where I log in using default admin/admin. I am then redirected to assertion service in my app when I am authenticating a user. Everything great so far!
The problem is that when I close the browser (using incognito mode) and try to repeat that process and login to WSO2 IS using the same user (admin/admin) I get error message:
"Login failed! Please recheck the username and password and try again."
I also get similar message in console:
[2018-02-08 15:57:39,258] ERROR {org.wso2.carbon.identity.scim.common.listener.SCIMUserOperationListener} - Trying to login from an inactive account of user: admin
How is that possible? It looks like the second I use given user during SSO process - that account gets deactivated. I can't even login to WSO2 IS Management Console.
I did not change any configuration other than mentioned above.
I would appreciate any help.
I'm just starting up with Bluemix Single Sign On (SSO). Whenever I'm accessing the SSO console using Safari I get a popup with the error below.
CTJSO1502E The authentication process to the configuration dashboard failed
I do not get this error when accessing the SSO console using my firefox browser.
I've already cleared the cache in Safari. Can anyone give me a pointer or something else to try to get past this?
As it turns out the solution in Safari is that I needed to enable third-party cookies to access the SSO interface.
The iframe containing the SSO service dashboard comes to the overall Bluemix console (.ng.bluemix.net) from a host on a different DNS domain (.iam.ibmcloudsecurity.com). Session cookies for the dashboard get blocked unless 3rd party cookies are allowed, or at least permitted from .iam.ibmcloudsecurity.com.
We've deployed an ADFS Server and its associated proxy, with our application as the relying party, and a cloud identity provider (Covisint) as Claims Provider.
We have tested the ADFS server using Active directory as the claims provider, and the authentication process is successful end to end.
When we switch the application's home realm over to use the cloud provider, the process seems to work, up to the point where the cloud provider returns the now-logged-in user back to https://[adfs url]/adfs/ls
This is what we had supplied the cloud identity provider with for the SP-initatied URL for them to return logged in users to, but it appears to be incorrect, or incorrectly configured, as it presents the user with the below error.
What is the URL that the cloud provider should post logged in users to for SAML2.0 on ADFS2.0?
I should also note, even logged in users are being redirected to the cloud provider on access to the app, leading me to believe that a necessary SAML>ADFS post has not happened yet.
Error:
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: 4973cca5-db6f-43dd-bd9b-59fa9872e97c
There is nothing in the trace or admin logs of use.
Thanks!