I trying to implement a way to efficiently manage several thousand users in a keycloak cluster somewhat automatically. I am wondering if there is a way for a user with higher credentials to generate a registration link containing url parameters that would then assign the appropriate role/group to a user who visited that link and created a new account?
Is this possible to do with keycloak out of the box? Thanks!
Related
I am learning SSO, so familiar with basic concepts.
I have a web application(Ruby on rails), where users are saved in Postgre DB (in AWS).
The users want to log in to another service(Rollbar) using the same user credential that they use in our application. In other words, I want to move the application's user information to an identity provider, so that the users can log in with the same credentials to the application and Rollbar using SSO.
One option I thought of is to move the users to Google workspace or Azure AD, but that is too much as I am not looking for any additional features
I did see services like Auth0 and Okta - just wondering whether I am going in the right direction
Any service name or links to documentation is appreciated
My company has userbase of course, but I want to allow users to login and use my applications with their social accounts e.g. Outlook, Facebook, Gmail. Something that is usually not clear to me when I read resources on the Internet on the topic is how to map the social credentials with ones in our database? I know we should use an API platform or something like that, but the user identity part is not clear to me.
You basically need to, as you noted, tap into the provided response and transform or link or provision it to existing identities in your own userbase. A lot of this depends on your method of delegating authentication to external provides and things they expose back to you as part of the user profile. You basically need to grab the user profile, parse it and then determine which field can be used to link that profile to an existing account, and then establish the authentication session based on the final result.
Here is a link to a technical walkthrough that describes the same process with an SSO solution: https://apereo.github.io/2018/04/20/cas-delegated-authn-account-linking/
I am an OpenID neophyte, so please correct me if I'm using the wrong terminology, but here's the problem I'm trying to solve:
I have a web site, let's call it "LB" which has a database. I've also created my own OpenID Connect identity server "IDS", and configured LB to use it for logging in. IDS doesn't have its own database, it's using LB's database.
Now, I want to introduce a CMS (like WordPress or Umbraco or whatever) into the mix. I want the CMS to use IDS, so that a single sign-on can be shared between LB and CMS. That seems relatively straightforward to do with a plugin like this one.
So now, suppose there is some bit of data in LB that I want to integrate with the CMS. Maybe while on the CMS site, the user can go to a profile page or something, and I want to show some interesting bits from LB on that profile page. Could be something dynamic that is affected by the user's activity in LB, maybe a HTML snippet, an image, or just some raw JSON to put into a template. Is the UserInfo endpoint what I should be using for this? (E.g. CMS asks IDS for the info) Or should CMS talk directly to LB somehow (and if so, how)?
The question is a bit abstract so I may be off, but if you want to return an arbitrary data, then it probably is better to create a new endpoint representing that "protected resource" such as https://LB.example.com/activities. You get an access token with OpenID Connect login, so you can use that to access this oauth protected resource.
I've just integrated my app with IBM's SSO via Cloud Directory. The idea here is that I want access to be very secure and only authorized users (pre-approved) can access the application (e.g. website in this case).
However, I've just realised now that anyone that goes to the app's webpage can, instead of logging in, just select "Register New User" and fill in some details and he's given access? Is there a way to:
1) EITHER keep that registration form, but require one of the admins to approve it before access is given? (better solution)
2) OR completely remove the self-registration option?
As the current situation is far from secure for what I need.
Thanks a lot!
I talked with the support team and that is the best (only) way to do it, just remove the links from the HTML templates.
A customer of ours has just purchased CQ5 and would like to externalize all of its security. We'd like to use an STS server for SSO and then leverage a custom authorization/attribute provider instead of the CQ5 repository. Ultimately, we do not want to use LDAP in any way.
Here is how we envision this (some pieces already working):
User browses to CQ5 Dispatcher running in Apache
Apache filter redirects user to STS site where login is completed.
User is redirected back to Apache with SAML Claims.
User ID token is placed as cookie into browser. (everything is working up to here)
CQ5 captures that cookie based on the SSO configuration (working)
Problem starts here: From here, we want to call a custom authorization provider for the user's attributes, roles, groups etc...
We have tried to figure out how to do this and can't seem to find the missing link.
Do we need to create a custom login module? Do we need to create a custom principal provider? Do we somehow use the existing LDAP capability in CQ5 but have it call a custom class which leverages the external auth source?
If anyone here has any idea how to do this, their karma quotient would be full for the year if they could share it. I'm not sure if this is a basic thing you do with JAAS or even where to put my classes after I've created them.
We've worked really hard on this so far and seem to be close, but we keep hitting dead-ends.
Thanks so much if you have an idea where to begin!!
-joe
Recent versions of AEM now include the SAMLAuthenticationHandler which allows you to:
Redirect users to SSO to simulate IDP initiated login, or
Allow AEM to perform SP initiated login with IDP
Specify attributes to take from the SAML Assertion and add to the user's profile node (not sure if you can use this for groups)
Specify which groups users should be added to
Set a cookie called request-path that will store the URL the user arrived at, and then redirect them to that location when they're authenticated (ie. deep linking)
This makes relying on the SAMLAuthenticationHandler better than using Apache to redirect. The current version of the handler bundled with AEM 6.2 does not properly set the cookie when using the redirect method, but Adobe does have an updated version that they can provide that will fix that problem.
I normally recommend that clients do not have their own authentication handlers developed inside AEM.
When not using LDAP, this does create an issue where users will not exist until they've logged in. Additionally, when your architecture includes more than one load balanced publisher, it is possible that a user may exist on one server user synchronization.
Try searching the google group for SSO details. Here's one useful post:
http://groups.google.com/group/day-communique/browse_thread/thread/72c235c83a501252/fba4d08a90487156?lnk=gst&q=SSO#fba4d08a90487156
It seems that you will have to implement a custom LoginModule, more information here: http://dev.day.com/docs/en/crx/current/deploying/custom-login-modules.html