I am using Keycloak as a broker with OIDC, connecting to 3rd party IdP. Client app (Welcome page) calls Keycloak, then Keycloak redirects to Idp login page. We have a following requirement:
1) User1 bookmarks Idp Login page. User1 logs in using IdP login page. On successful authentication IdP calls iodc endpoint and Keycloak redirects User1 to client app.
2) User1 closes browser without signing out
3) User2 opens a new browser using bookmarked page, enters credentials and on successful authentication calls back Keycloak.
At this point, I want to kill User1's active session and allow User2 without showing any error at Keycloak side (As if User1 was signed out and User2 logs in). Keycloak should redirect User2 to client app.
Please suggest if this can be done using SPI?
Thanks in advance.
Related
Situation
For my web application, I have set up a keycloak (v18.0.0) realm with an external SAML IDP.
After successfully logging in, the application is using its own cookies (I can't change this since this is an external piece of software) and has a logout endpoint to destroy those cookies when visited through the browser.
In the corresponding client configuration, I set a front-channel logout URI to be called by the browser whenever a logout is triggered from the IDP.
Problem
When triggering the single sign-out from keycloak itself using this "https://baseurl/realms/my-realm/protocol/openid-connect/logout"`, keycloak successfully logs out from the IDP and destroys its own cookies but does not redirect to the front-channel logout URI, which leaves the app in a logged-in state. I tested this without an IDP enabled and it logged me out from my app.
Question
How can I force keycloak to trigger the front-channel logout URI on a single sign-out request?
I’m new in the Keycloak’s world and I need some help to configure my login flow.
I’ve configured Keycloak to allow people to login with their ADFS account or with a ldap account.
ADFS Identity Provider is configured to use OpenID Connect.
When people connect to my application, they are redirected to Keycloak where they see a login form and a button to login through ADFS.
This work perfectly, but we would like people not to see that screen if they are already logged in on ADFS and only see the login form if they’re not connected in ADFS.
I changed the browser flow to use the Identity Provider Redirector first and then display the username password form, in this case the user is automatically logged in via ADFS, but if the user is not logged in, ADFS asks for a password and the user is not redirected to Keycloak .
Do you know how can we configure Keycloak to implement that flow?
I’m using Keycloak 11.0.0-alfresco-001 (keycloak 11 packaged by alfresco (as alfresco-identity-service) with a custom theme. The code is available on Alfresco’s github .
Here’s my browser flow configuration:
IAM Browser flow
Thanks for your help
• Yes, its possible to configure keycloak to implement the desired flow as a brokered IdP in the following way: -
While configuring ADFS in keycloak and importing its federation metadata file in it, check the settings and enable validate the signature option for the authentication requests to be sent to ADFS, also enable ‘Want AuthnRequests’ signed option. Afterwards, set the signature key name field to CERT_SUBJECT as AD FS expects the signing key name hint to be the subject of the signing certificate.
Then check the mappers for group and attribute claims in keycloak for transforming the details through SAML assertion to keycloak user store.
After that, check the descriptor URI that needs to be set by modifying the ADFS redirect URI by adding the ‘/descriptor’ to the redirect URI in this field. The URI will be like ‘https://kc.domain.name:8443/auth/realms/master/broker/adfs-idp-alias/endpoint/descriptor’.
Also, please ensure that the signing certificate for the keycloak in ADFS claims provider is not self-signed and is issued from a trusted third-party CA and installed in the server’s local system certificate store.
Disable certificate revocation check for the certificate installed on the Adfs server and ensure ‘backchannel logout’ option is checked in keycloak
• Once the above settings are checked thoroughly, the default login redirection page should be displayed after that and the user should be able to select the IdP from the login page accordingly.
Please find the below links for more information: -
https://www.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
Keycloak AD FS Interaction
I have problem with Keycloak's configuration and Single Logout from SAML Identity Provider.
Scenario:
User tries to log into Service Provider using Keycloak's client (OID)
KC redirects to SAML identity provider
Entering correct credentials, user is logged in, KC creates session and user is redirected back to SP page
In another tab user directly logs into IP (no credentials are needed because of SSO)
User logs out from SP
After refresh 2nd tab (IP), user is logged out.
However, if user logs out from IP first, SP session is not closed and user is still logged in:
User logs out from IP (redirect to KC endpoint and return back to IP login page)
After refresh, user is still logged in SP
Keycloak correctly receives samlp:LogoutRequest request and returns <samlp:LogoutResponse
...
samlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status></samlp:LogoutResponse>
In KC admin console I can still see there is active session for given client (and user). Actually I can see SAML logout request from IP only in KC stdout (request-dumper filter) but no logout event occured in KC.
I dont really understand in details how SAML works, but shouldn't be user logout from SP using SLO? Or maybe I am missing something in KC's client/realm/IP configuration?
Thank you for your help/explanation
Requirements for Global Logout to work
Clients which are being used for both the service providers should be in the same realm.
When you log out from IdP, do you see a request being fired to logout from each of the service providers? I believe in your case, it is not calling Logout URL for your SP. That needs to be configured at a client level.
If logout URL for SP is being called and if even then you are logged into your SP, then it means that SP has some issues in the implementation of Log out.
When you logout from SP first in that case your SP is sending logout request to IdP and that's why you are being logged out from IdP as well as SP.
But on the other case, I believe Logout URL is not being called (which could be due to missing configuration in the client).
Can you post a screenshot of the configuration to help you better?
I have two service providers(SP) and one common identity provider(IDP).
I can login to both my SP through IDP initiated SSO.
I have same user in both my SP so user lookup is working fine.
After logging in through IDP i have landed in SP1. In SPA i want a link which will be redirected to SP2 landing page without calling the login ti ISP again.
How can i do this?
I have a external openidconnect identity provider registered with Keycloak. When the client app tries to access the protected resource it gets redirected to KeyCloak login page. On the login page I have the external openidconnect provider buttons enabled. Once the user clicks on the button he is taken to the external identity provider (which is identityserver3 instance). The external provider does authenticate the user and send back a code.
Now the redirecturl for the registered client in the external identity provider is that of keycloak's. So after authentication is successful at the external IDP it send back the code(because it is Auth code flow) to keycloak at a redirect url:
http://localhost:5555/auth/realms/QA/broker/keycloak-client/endpoint?code=7bcf5157105199d50874e64eabf03858&state=wQhNIEKW0Ws6CotZg2EsvOorjDVQlWVvobcM2skPSXo.keycloak-client&session_state=rhgu-BXT8FniG9Z-UARKpp_f-V1nLN-VxFmSE3PSxDg.99b2d903367208e4261fefa475afb1eb
In the URL if you see it ends with endpoint. I don't think that's correct but I cannot change it in KeyCloak (it's disabled) and because of that in the external IDP client configuration.
KeyCloak does not understand above url and errors out with a message "unexpected error when authenticating with Identity Provider"
Isn't KeyCloak supposed to understand the code flow and make another request for token after receiving the code. Then the external IDP will respond with token and Keycloak will send back that token to client(will also store it for future use).
Can someone please share some knowledge on how Keycloak works with external openidconnect ID provider with code flow.
Usually the redirect URI for external identity providers take the form of {keycloak-host}/auth/realms/{realm}/broker/{provider}/endpoint. You have to specify this as the redirect URI when you register your client in the external identity provider. Once the user is authenticated through the external IdP, authorization code will be sent to this url, which in turn will redirect it to the redirect url of your client application (specified when registering the client in Keycloak).
Unexpected error when authenticating with Identity Provider is the general error message sent by Keycloak for several errors that occur during the OAuth flow. You won't be able to determine the actual cause without going through the stack trace or the logs in the prompt.
You are getting this error because keyclaok is unable to get token from identityserver3 by exchanging authorization code. Where did you hosted identityserver3? Does it have a real ca certificate or you are using self sign certificate? Have you configured client_id , secret, token endpoint properly in keycloak external IDP configuration? You can test manually my posting client_id, secret, code (that you received) in token endpoint of identityserver3.