I have added an identity provider with OpenID connect V1.0 and used Google endpoints. I have provided the option ?hd=X.com(https://accounts.google.com/o/oauth2/v2/auth?hd=X.com) to restrict the login, but as per the google doc, it says HD is an optional parameter. How to validate if the token received from Google after login from keycloak perspective and restrict login?
For anyone still curious about this answer, as of KC 11.0.0 the KeyCloak server is explicit that it will validate the response from Google matches the hd parameter you set in KeyCloak, as seen here:
Related
I am trying to setup SSO with third party IDPs in Google Workspace admin console.
I am using SAP IAS as an IDP.
It works with the default configuration.
But if i mark the the SAML requests to IDP must be signed in SAP IAS then it fails saying "SAML requests are not signed ".
It seems Google as a service provider does not sign the requests ? is it a correct understanding or is there a way to enable signing of SAML requests in Google workspace admin console ?
Best Regards,
Saurav
When you use Google Workspace as Service Provider with a third-party IdP requests are not signed by default and I am afraid that setting is not available in Google's side at the moment.
I assume by signing both the request and response of your SSO flow you are looking to grant extra security to this process however if you really need to use Google services and the authentication is successful without the setting I would recommend to skip this for now.
Neither in the documentation nor in the Google Admin console section for third-party IdPs SSO you would find it, the setting is simply not there:
Google as Service Provider setup
I hope this information helps!
I’m new in the Keycloak’s world and I need some help to configure my login flow.
I’ve configured Keycloak to allow people to login with their ADFS account or with a ldap account.
ADFS Identity Provider is configured to use OpenID Connect.
When people connect to my application, they are redirected to Keycloak where they see a login form and a button to login through ADFS.
This work perfectly, but we would like people not to see that screen if they are already logged in on ADFS and only see the login form if they’re not connected in ADFS.
I changed the browser flow to use the Identity Provider Redirector first and then display the username password form, in this case the user is automatically logged in via ADFS, but if the user is not logged in, ADFS asks for a password and the user is not redirected to Keycloak .
Do you know how can we configure Keycloak to implement that flow?
I’m using Keycloak 11.0.0-alfresco-001 (keycloak 11 packaged by alfresco (as alfresco-identity-service) with a custom theme. The code is available on Alfresco’s github .
Here’s my browser flow configuration:
IAM Browser flow
Thanks for your help
• Yes, its possible to configure keycloak to implement the desired flow as a brokered IdP in the following way: -
While configuring ADFS in keycloak and importing its federation metadata file in it, check the settings and enable validate the signature option for the authentication requests to be sent to ADFS, also enable ‘Want AuthnRequests’ signed option. Afterwards, set the signature key name field to CERT_SUBJECT as AD FS expects the signing key name hint to be the subject of the signing certificate.
Then check the mappers for group and attribute claims in keycloak for transforming the details through SAML assertion to keycloak user store.
After that, check the descriptor URI that needs to be set by modifying the ADFS redirect URI by adding the ‘/descriptor’ to the redirect URI in this field. The URI will be like ‘https://kc.domain.name:8443/auth/realms/master/broker/adfs-idp-alias/endpoint/descriptor’.
Also, please ensure that the signing certificate for the keycloak in ADFS claims provider is not self-signed and is issued from a trusted third-party CA and installed in the server’s local system certificate store.
Disable certificate revocation check for the certificate installed on the Adfs server and ensure ‘backchannel logout’ option is checked in keycloak
• Once the above settings are checked thoroughly, the default login redirection page should be displayed after that and the user should be able to select the IdP from the login page accordingly.
Please find the below links for more information: -
https://www.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
Keycloak AD FS Interaction
We are currently evaluating the possibilities of keycloak since we need to replace a custom SSO solution. This requires us to connect to external IDPs which we already connected to.
Currently I am investigating an OpenID-Connect Provider which is authenticating the clients via POST using client_id and client_secret as parameters. Additionally, its API is secured with a basic authentication via the Authorization header. Whilst the first part is no problem, I have not found a solution to overcome the additional basic authentication with the available default configurations (using a user-defined OpenID Connect V1.0 provider). Vice versa, I can overcome the basic authentication, but then will miss the client_id and client_secret parameters which results in an error of the IDP not returning an access token.
Is there a way to resolve this issue? If not via default options, is there an option to add custom IDPs which can be configured in the backend? I saw the SPIs in the developer documentation (https://www.keycloak.org/docs/latest/server_development/#_providers) but I am not sure if one of those suits our needs.
I am trying to find it in the developer doc but no luck:
https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/
Does GitHub expose a discovery endpoint for openid?
Appears Github only supports OAuth and not OpenID Connect.
This implies that only OAuth Client's are delegated access to a resources which belong to another.
I have a Java app running under Websphere Liberty on IBM Bluemix. I need to be able to authenticate users 3 different ways - Basic Auth, SAML SSO, and OpenAuth SSO, in that order.
I can set up the app to do Basic Auth (using custom code) or SAML SSO (using the Bluemix Single Sign On service), but can't figure out a way to configure it to handle both at once. (I haven't even looked into how to do OpenAuth yet.) If I configure the app to use the Bluemix SSO service, then my app never sees the incoming requests to check for a userid and password to try Basic Auth before the SSO service grabs it.
I tried changing the redirect URL in the SSO service to an endpoint inside my app, but then all I get is
CWOAU0062E: The OAuth service provider could not redirect the request because the redirect URI was not valid. Contact your system administrator to resolve the problem.
I can't be the only one that needs to do this. Can anyone tell me how they did it?