I have tested and used Bluemix SSO with a Liberty runtime on Bluemix successfully with the G+ login provider. Now I added LinkedIn and Cloud Directory providers as well.
However, when I try to login, it still always redirects me to the G+ login. When I disable G+ in the SSO service, it tells me "FBTIAS030E No login methods are configured.", even though the other two are enabled in the SSO config (and verified in case of LinkedIn).
I have restarted the runtime, and even re-staged it, to no avail.
Any ideas?
Did you customize the login.html page? If you did, you can get the default template back by using the reset button at the Custom Design page. The default template displays the list of Identity Providers that you set up.
Sorry for the late reply, but I found the problem. The nice big switches in front of each provider (in the dashboard for the SSO service) were doing nothing in terms of switching providers on or off. You need to go to the "integrate" tab where the real switches are to enable the other providers.
Related
We have web application with keycloak as identity broker, google SAML app as IDP for google managed workspace for domain say mycompany.com. Integration works fine for except a case described below.
If user is logged in with only one non SAML app google account, google returns
403 Error: app_not_configured_for_user.
i.e. If I am logged as with my personal gmail acccount & not with mycompany.com account
I have inspected SAML AuthnRequest payload SAML tracer which has ForceAuthn="true" but still it does not show up account chooser page.
I went through couple of stackoverflow threads. Few provided solution about using account chooser url and redirecting it to auth page https://accounts.google.com/accountchooser?continue={theredirectURL}.
Looking at community to help suggesting clean solution.
This error pretty much depends on which account is the primary one in the Google account chooser as it always takes that to complete the sign in process automatically.
There is no official way or setting from Google to do this, however the mosto commonly used workaround is to add the following URL to the Start URL section of the SAML app settings for it to force the authentication whenever you click on it.
https://accounts.google.com/AccountChooser?continue=https://accounts.google.com/o/saml2/initsso?idpid=[REPLACE]s&spid=[REPLACE]&forceauthn=false
There are 2 parameters that you need to replace in that URL and you need to get them from the Google apps menu next to your profile picture, then hover over the SAML app that you want to change and right click on it, then copy the link address and that will show the idpid and spid values.
Background:
I've 3 micro frontend react apps, one for each tab of my menu bar so every time I click on a different menu corresponding micro UI app is loaded.
For authentication I'm trying to use Keycloak. I use Keycloak JS adapter, created this in shared library and use it across 3 apps I have. Everything works fine until now.
Problem:
Next thing I did is in Keycloak admin server I added Okta as Idp, as soon as I did that what happens is when I switch between tabs, it flashes Okta redirect screen. This happens because
when I switch tab I load a different micro UI app which initializes keycloak behind the scene -> calls okta for verification(which is redirect flash) -> page loads. Now this redirect flash
doesn't look good when switching tabs in same website. Which is what I am trying to solve.
What I've tried:
Now to get rid of this Okta redirect flashing, what I did is I store
the token in browser local storage as soon as I login for the very
first time then when I click on different menu which loads my
another micro UI app and here I check my local storage to see if
there is token. If Yes -> don't initialize KC. If No -> initialize KC
(meaning logging in for very first time) The problem with this
approach is my token never gets updated because I'm using KeycloakJS
Callback method to update my token but since I didn't initialize kc after I switched to new menu(corresponding app) callback methods don't work.
After my first login when I switch tab I tried to do "check-sso"
with silent login and still see Okta redirect.
So if I initialize KC every time I switch tab(i.e. every time I call new app) everything works fine but I don't like the redirect. If I don't initialize KC when I change tabs -> token doesn't get updated. I thought of merging all my micro frontend apps this will probably solve the problem but will break the reason I created micro front end apps.
I am new to using KC so any pointers will be appreciated.
The configuration from the guide that you have provided, enforces a redirect to Okta for every login via Keycloak. I do not think that there is any reason to do so. Try to add a cookie authenticator as an alternative in front of the identity provider redirect. That should skip the redirect to Okta once a session with Keycloak has been established.
Edit:
If for any reasons you need to enforce that redirect to Okta (besides for the initial login), you may want to try to change the SAML binding to a redirect binding instead of a POST binding.
I watched the recent Youtube video intro to Keycloak and have been following along with the examples used here: https://github.com/stianst/keycloak-containers-demo
I have it all working fine, and I am trying to test what this might look like with more applications. So I have added an additional Jenkins app to the mix and configured it to use the OIDC plugin for authentication. Was easy and works great. So now I have one realm with two clients, jenkins and the js-console. I am seeing some unexpected behaviors and wondering if I am doing something wrong or just have a fundamental misunderstanding about what Keycloak can provide.
I am not getting SSO. If I access the js-console app and login and then open the URL for Jenkins I am redirected to Keycloak and have to login again. I was expecting SSO to happen here. Doesn't Keycloak set a cookie or something so that I would be logged in to the second app? Thinking out loud .. could the fact that I am not using SSL be the issue? Maybe the cookie is marked as secure?
I went ahead and added Github login like in the demo. From what I can tell this will only work with one client. Both my clients get the same login screen so both have the login with Github option available, but the redirect URL's can only be configured for one of the clients. Is there a solution for this so that you could have many clients sharing the same realm and allow login via social login?
I would like to eventually test a SAML provider like Okta and am wondering if I will run into the same problem with that as I did with Github?
I'm try to implementing SSO in my existing web applications with using OpenAM by refer following link
http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity_21.html
PS. my web applications have their own login page already
Now what is got after implementation is, openAM login page are protected in my web applications and i need to make login again to my application
what i need is, want to skip the login page of my application to become single sign on.
so, can anyone tell me what tasks need i do left?
do i need to revise my Login page of my application?
do i need any database or datastore to keep user login information?
Now that an OpenAM agent is in place on top of your app, your web app can work under the assumption the there is already a valid logged-in user - you need to remove the login page from your web app.
To get the current user details just alter your OpenAM agent config to set HTTP headers with relevant fields like username, full name, etc. Then instead of a web app login page you just check HTTP headers (should be safe from spoofing as long as the only route into your web app is coming through the OpenAM agent).
Another way is to grab the OpenAM cookie and use it to make REST calls directly to the server. Makes things a little more fragile though because you now need to maintain additional config.
You don't necessarily need any additional user tables / datastores for your web app, only if you need to map their login name to whatever it is your web app is doing (saving preferences, etc) in which case you need to check that the username you've been given already exists inside your app. If not then add it.
We were able to implement single sign on using openam with a JSF web application using Spring SAML extension and Openam.
Instead of agent we used fedelet that way we can port to ant application server
Please see my articles on generic info related to Openam concepts
http://reddymails.blogspot.com/2013/03/sso-for-java-or-net-web-based.html
Steps to integrate JSF 2 web application with Openam using Spring SAML extension and Spring Security.
http://reddymails.blogspot.com/2013/06/integrating-jsf-web-applicataion-with.html
-Ram
I am successfully using OpenID and OAuth in development mode. Once I am ready to move to Production will the process change in a way that the authentication/authorization process will not require manual intervention? Today I click on the "signin" button to authenticate using OpenID. I then click on the "Authorize Quickbooks" button to authorize using OAuth. During these two processes I am redirected to Intuit where I click on buttons to allow authentication/authorization. Will I be able to achieve this process through code? I am working on a SaaS application and need to authenticate/authorize in code because the manual steps will not work with the application I am working on.
Your app should work the same way in development as in production.
Make sure you have gone through the requirements checklist - http://docs.developer.intuit.com/0025_Intuit_Anywhere/0010_Getting_Started/0040_Publishing_Your_App/0010_Reviewing_the_Requirements_Checklist
There are different requirements if you are just doing the Connect to QuickBooks flow or you are also wanting to be listed on Appcenter.
Do the free trial on a couple of the apps in the app center to see what they are doing. I tried out eBillity, their app picks up OpenID and OAuth without user interaction during the subscription process.
Based on that, yes, I think you can achieve it all in code. Personally I have not been able to get the OAuth tokens without user intervention.
Update: Use this JS method to do the OAuth authorization during the subscription process:
http://docs.developer.intuit.com/0025_Intuit_Anywhere/0060_Reference/JavaScript_Functions/directConnectToIntuit