I am using Keycloak as the OP of a single sign-on(SSO) platform. I already connected two of my web applications to Keycloak for the single sign on function to work.
Also, I have already made one app when logging out will be redirected to Keycloak authentication server. But I want my other app to also logout when the first one logs out(SLO function). What configurations do I have to do for my 2nd app to make this happen?
Thank you for your help =)
I managed to make the single logout to work, it seems that you just have to set the URL of your web app in the Admin URL(inside Keycloak command console, under Clients).
Related
In Keycloak, is it possible to have only one login for all the clients in the same realms? I have configured the server (from the admin console) in this way:
- create a new realm (let's call MyRealm);
- create two different clients (Client1 and Client2)
- create a user (Alice)
I have tested the two clients individually, and they works fine (the default keycloak login page appear and if I provide the credentials the browser redirects me correctly); the problem is that when I am logged in in Client1, and go (from the same browser) to Client2 the login page re-appers. Is it possible to configure the server in a way that I have to log in only with one client, and then I am authenticated also in all other Realm's clients? Thanks.
I solved this problem configuring only one client (named UniqueClient) from Keycloak admin console; then I modified the two java applications (Client1 and Client2) and now all of them are pointing to UniqueClient (in their keycloak.json there is 'clientId': 'UniqueClient'): in this way when I start one of them the keycloak login page appears, and if I log in, I'm logged in also for the other application (unitil the session expires);
You can achieve this by using https://github.com/IdentityModel/oidc-client-js/wiki so you will be logged in several clients at the same time on the same realm
I need advice about how can I use Vault login for web. I have set up Debian 8 server. On that server run web page (hashi-ui) for manage Nomad and Consul. Web page work and I can access it. But there is no login so everyone can access to this web page. So I need set up login and authenticate of users. I want use Vault that run on server too. I need result like if I access web page via web browser so after enter URL, web browser pop up login form (Like if you want call some REST and service need authenticate user, so web browser pop up default login form). I enable user-pass method in Vault. I set username and password, but now I do not know how to set up for this web page.
How can I set this user-pass method to authenticate user and then give access to web?
Thank you for any advice.
It's an unusual use case, I don't believe you can use Vault directly for it.
Perhaps with PGP, you could use a web interface to keep exchanging encrypted messages with an agent that can proxy your authentication, read, write requests somehow to Vault and transmit them back for you, preferably encrypted. Doing sealing, unsealing like this might be tricky, you might risk getting yourself locked out from sealing if the proxy agent is unreachable or refuses your requests.
I have configured CAS(v4.0.0) on Apache Tomcat and have multiple clients based on Java, Python and PHP.
What I want to achieve is when I logout from any one application and gets redirected to cas/logout, I want a popup to be opened with all the applications that particular user is logged in with and asks whether you want to log out from every application or not.
I am following the official documentation
http://jasig.github.io/cas/4.2.x/installation/Logout-Single-Signout.html
and found out Single Logout Per Service which allows me to control single logout behavior individually and I can control whether to allow a particular service to use Back Channel or Front Channel or turned off for that application but what I want to achieve is this -
1.Logging out all applications both from CAS and from browser dynamically on button click
2.Logging out a single application from CAS dynamically on button click, with all other applications having their sessions maintained on CAS server and on browser too.
3.Configuration to be changed in PHP and Python clients to handle the logout callback from CAS server.
Any help would be highly appreciated.
Logging out all applications both from CAS and from browser dynamically on button click
invoke /cas/logout. If SLO is turned on, all applications will receive a notification to logout. CAS will logout as well.
Logging out a single application from CAS dynamically on button click, with all other applications having their sessions maintained on CAS server and on browser too.
Well, you go to your application and you log out from the application. Why do you want to involve CAS? CAS is not responsible for maintaining your app and how it works. /app/logout should do the job.
Configuration to be changed in PHP and Python clients to handle the logout callback from CAS server.
You'll need to figure out if your clients support CAS SLO. If they do, they will proceed the SLO notification and kill the app session.
I am just learning Mobile Services. I've created a simple one which works fine locally. I published the mobile service to my Azure account. I then tried to access a method on it from the browser and I get a log in dialog. I figured out that I need to provide the application key generated by Azure as the password. Once I do this, it executes correctly. However, is there a way I can execute a method without providing a key? In other words, what if I wanted to expose one or more methods to everyone, without any authentication. How would I do this?
Yes, there is a way. There are four authentication levels in Windows Azure Mobile Services.
scripts and admins
authenticated users
users with application key
everyone
By default, the authentication level is set to "users with application key".
Depending on the backend you use, you either have to specify the auth level in the Management Portal in the data-tab (Javascript) or as a method attribute in your Controller-class (.NET) to "everyone".
I'm currently making tests with the CAS server 3.5.2 and I'm facing
problems with the logout.
My knowledge in these topics is limited and I don't manage to go further on
that point.
I installed a CAS server and I've got 2 instances of the same java
application that point to that CAS server (appologize if I don't use the
adecuates terms).
So, when I access to the protected resources of my client aplication, I'm
redirected to the CAS login page, I check in my DB if credentials are ok
and then I access the resource. Then, if I access to the same protected
resource from the second instance of the client application I'm not
redirected to login page. That's perfect.
The problem is situated in the logout. To do so, I first execute a
session.invalidate() and access to the CAS logout page. It's ok because,
from the application from which I logged out, I must login again to access
the protected resources. On the other side, the second application remains
connected and I can access the protected resources without login again.
Well, I know that the session.invalidate() is local to the first
application but I thought that CAS server would have "broadcasted" the
desconnexion to the other application but no.
Is there somebody who can give me experience feedback for the single sing
out topic ?
First make sure that SSO is enabled in the CAS properties file, if not make sure the SSO Listener is enabled in the clients.
If they are enabled then my guess would be the issue is in either the LogoutManagerImpl.java or SamlCompliantLogoutMessageCreator.java files.
The SSO in CAS is performed through the back-channel by transmitting a SAML XML message.
I had an issue with the SSO function last year only to find out that the XML message being broadcasted had an error that prevented it from being parsed.
Finally I solved...
In web.xml, the order of filters is important. Filters for Single-sign out must be placed at the begining.
See that section https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1#CASClientforJava3.1-OrderofRequiredFilters