Is there a configuration to restrict maximum users in a realm?
Let's say I want to restrict maximum users in keycloak to 500. Is this possible?
To elaborate on my need, let's say I have configured ldap. Now every time an Ldap user logs in the keycloak, same user gets created in keycloak db. Now I want to restrict maximum such users to be 500. Is there a way?
The only way is to create your custom Federation Provider, you can use LDAP provider as base and rewrite some methods (getUserByEmail, getUserById, getUserByEmail) for you logic implementation.
Related
We have two Keycloak instances:
Keycloak-A: publicly available
Keycloak-B: available behind a VPN
Both instances can communicate with each other directly without any restrictions.
Is it possible to log in as a user from Keycloak-B using the login form from the public Keycloak-A?By adding Keycloak-B as an IDP on Keycloak-A the login request gets redirected to Keycloak-B.
Exporting the realm from Keycloak-B to Keycloak-A is not an option.
Is it possible to log in using Keycloak-B users without getting redirected on Keycloak-A?
Keycloak allows to set up different User Storages to retrieve user credentials. This is called User Storage Federation. Out of the box Keycloak supports LDAP / Active Directory. If your Keycloak-B already retrieves its user information from some other source like LDAP or AD, it would be easiest to establish a secure connection between Keycloak-A and this other source, too.
If your organisation directly uses Keycloak-B's H2 database to keep all user credentials and for some reason doesn't want to set up an LDAP or similar, I only see the possibility that you try to implement your own custom User Storage SPI for Keycloak-A to retrieve this user data from Keycloak-B.
it looks like I got stuck and I need some help on solving this authentication/authorization problem.
I have an Okta installation, outside of my control, which supports OIDC but doesn't allow to easily manage roles and also does not support the token exchange flow.
I was hoping to use Keycloak as sort of sidecar/federated system to store users' roles, but I still need to perform the authentication against Okta, simply because that's the one storing the user credentials and I cannot have direct access to those.
Also, I cannot expose Keycloak to the end users, due to security constraints.
In other words, the client can only reach Okta and must authenticate on Okta, but since I can't store user roles on Okta I wish to use Keycloak for that and query Keycloak from my backend application to query for user roles, all of that without using the token exchange flow....
Any ideas how can I achieve that, if possible at all?
Thank you in advance.
We use Grafana with the built-in authentication. We have multiple users so they can have their own preferences but it would be convenient if they didn't need to set passwords.
I know Grafana supports anonymous login but I want distinct users... who don't need passwords. Is it possible to do this?
Configure Grafana with Auth Proxy to let a HTTP reverse proxy handle authentication. And it is up to you how do you create "authentication" on the proxy - e.g. initial login screen (without password), which will save username into cookie and then proxy will use that value for the Grafana user definition in the request header (only your imagination is your limit and this only an idea - proxy implementation is not in the scope of this question here).
But for user convenience are Single Sign-On (SSO) protocols used usually. Grafana supports Open ID Connect and paid version also SAML. That's should be used in the serious nd secure implementation. One user login, which can be used then in many apps, which support SSO.
We are using keycloak in a multi-tenant micro-services application.
We have planed to use one realm per tenant.
Also there is single endpoint that all user requests (from all tenants) authenticated with JWT bearer token flow.
Is that possible to create one application client in keycloak and share it amount all realms?
Or we have to create a client (with same name) for each realms?
Is that possible to create one application client in keycloak and
share it amount all realms?
Out-of-the box this is not possible, just like users, clients are defined at the Realm level, and consequently, cannot be shared among realms.
I have a web application that I would like to use authenticate using MembershipReboot for a subset of users but internally I would also like to use Active Directory.
What's the best practice of authenticating a single web application with two different authentication models? Any code samples would be great.
For this scenario you'll need a UserService for Membership Reboot. This will mean when users log in to Identity Server using the local username & password fields they will use Membership Reebot. You can find this UserService here.
To also use Active Directory you need to configure it as an external identity provider. This will then provide users with the option to log in using their AD credentials.
If you want to specify in your requests which provider to log the user into, check out the acr_values parameter of the Authorization endpoint or the IdentityProviderRestrictions property of the Client class.