Referring this git repo (https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/secret-question.ftl) I manage to add a security question which can use to ask from user in the event of “forget password” for
additional level of security.
However, in the current system, there is provision of storing only one security Q&A. I am looking to modify this to include the following:
functionality be extended to include 3 security Q&As which is popular practice. I modified the keycloak secret-question.ftl to include 2 more questions.
But there is no way to store the additional questions and answers extracted from the ui form in the UserCredentialValueModel SecretQuestionRequiredAction.java).
I am new to KeyCloak and need guide.
Related
We are developing a keycloak(5.0.0) based solution where our clients can create their account with us and manage their own users - and only their users.
Initially with thought that we could use realms for this. Every client gets their own realm. After initial testing we deemed it might not be a good solution as after creating ~500 realms the application becomes unresponsive(https://issues.jboss.org/browse/KEYCLOAK-4593).
We decided to try using Groups to emulate a tenant. Our objective is to create during an external process(keycloak REST API) a group with an admin user.
Can't find currently a way how to restrict this administrator to be able to only manage their own group(creating subgroups, managing users, and giving them roles).
I've noticed several emails mentioning these features but I fail to find actual examples to make this work.
http://lists.jboss.org/pipermail/keycloak-user/2017-June/010882.html
http://lists.jboss.org/pipermail/keycloak-dev/2017-June/009496.html
The second link shows exactly what we would like to achieve.
Current alternative I can see is to implement a facade(client or separate web app) which would restrict visibility and access to other groups.
Are there other alternatives?
I am new to Hadoop management and Hortonworks Hadoop. My question is what is the common practice of managing users in Hortonworks. Ambari allows me to create users, but how do companies map users in Ambari to their users. I see that in Hortonworks, I can enable Kerberos; is this the way to allow company users, for example in LDAP, to use the same username/password to login to Hortonworks? I'm not looking for details here, but just some guidance as to what the common practice is.
An identity source is needed. AD is quite common to be used for that purpose. You'd use something like sssd to integrate AD with your cluster nodes. Once that is done, you can integrate your cluster with AD's kerberos. Finally, you'd use AD's LDAP as a source of authentication for Ambari.
Of course, neither of those things is required. You could as well maintain various identity sources and sync periodically between them (e.g. OS users in /etc/shadow, kerberos users in MIT KDCs database, Ambari users in relational database, etc). Just take into account extra time/effort that will be needed to manage cluster users.
#facha gives a nice explanation.
Since I work with LDAP and Hortonworks I can only comment on this combination. To start figuring some things out you can for example use LDAP (called demo LDAP) that comes with the standard installation of Hortonworks. You can use the pre-supplied LDAP mappings in Ambari to add more users.
Afterwards you can import these users in Ranger for example to set new policies for the different Hadoop services. This is done with "ranger user sync", which is different from the access to Ambari with ldap users (ambari-server sync-ldap). I was not aware of this difference in the beginning, so it is good to notice.
If you have done all this you can also add Kerberos security, but this is something a lot more difficult to understand (keytabs and principals etc.).
Here is some good information and a nice tutorial on working with LDAP.
If you want to easily manage LDAP users and groups, I would recommend ApacheDirectoryStudio.
It is generally recommended not to store credentials in a repository. The question is, where should they be stored then, so all developers have access to the same configuration?
The question is subjective - different practices may be applied. For me, the approach that worked best is utilisation of some form of "Single Sign-On" where possible and provision of personal logins to every system to developers. This also has an advantage of being able to find out who was responsible for a destructive action (which sometimes happens).
You can also take the approach as described here: store the credentials in the SCM, but in encrypted form. This will allow to maintain versioning, yet not allow access "for everyone". I'd say, best option is to combine these two approaches (and store only developer-environment "service" credentials - encrypted - in the SCM)
I stored the config files in a private S3 bucket and manage access via IAM. The configuration updates and revisions are handled by a small script using the AWS gem. That way anybody with sufficient privileges can access them, and we also can issue access credentials for each developer separately.
Does anyone know how to issue additional claims from StarterSTS by Dominic (Codeplex). I currently am getting only Login Time Instance and the Authentication Type which is password. Is there some config file i can edit or Code i need to insert to provide additional claims to the user ?
I'm not sure if you can in StarterSTS, but if you note on the project it says:-
IMPORTANT
StarterSTS has been discontinued. The sources will stay up here for educational purposes. Please use my new project IdentityServer (http://identityserver.codeplex.com) from now on.
IdentityServer does support additional claims. You add the claims using the user profile - it's very easy to do so I would recommend you upgrade to this if possible.
I can't see the source for starterSTS so I'm not sure if it supports this feature. You can find Identity Server V2 here
Hi I am using CAS for SSO. But problem is that i want reset password,register new user on CAS login screen.Does CAS provide these services or i have to implement?
Or Any other SSO solution exist which fulfill my requirement.
CAS is just a SSO frontend to your existing identity management solution (database, LDAP etc). It does not include any identity management features itself (create user account, reset password etc). I have recently been using the Cloudseal platform which is a full identity management solution and so far I am pretty impressed. I believe Atlassians Crowd also includes this although I have not used it. There are probably other products out there as well.
Both of these are commercial products although they are both free for the first 50 users. Crowd is a traditional standalone platform which you download, install and configure but Cloudseal is a hosted service so there is no installation and less config.
You can certainly modify the spring weblog and login page to allow for the functionality that of course you'd have to implement. You should also ask the question on #cas-user mailing list to see if a similar need in the community has been implemented by other users which you may be able to take advantage of. I remember only recently someone raised the same question to the list and there was a bit of interest in getting this feature developed and integrated. You may want to revisit the topic on the mailing list.
Hope this helps.