I am using Bluemix SSO service for user authentication and configured the Cloud Directory identity source as my identity provider. The SSO implementation is working perfectly fine for the Bluemix applications.
However, I have a need to add few custom user attributes and retrieve them as part of the user profile details once the authentication is successful. The Cloud Directory identity source only supports name & email as the user attributes and doesn't provide any feature to add additional custom attributes.
Is it possible to add any custom user attributes to Cloud Directory identity source? If not, what is the best way to configure the custom user attributes when using Bluemix SSO service?
It is not possible to add additional custom attributes using the Cloud Directory of Bluemix SSO (example: roles). There is not a best way to configure the custom user attributes, but you could develop your own login system. For example if you are using Bluemix nodejs runtime you could use the passport module and store all user information in a specific table of your DB. In this way you can manage the login and other custom fields. An alternative is to use SSO Cloud Directory, retrieve the username information from the SSO service in the session and use it as a key to retrieve other DB fields (roles, numbers, address).
Related
I am using Keycloak 18.0 for Angular 13 + Spring Boot App. The solution utilizes Microservices architecture pattern for this app so basically Keycloak already guards access to other solution resources. I am using only Keycloak REST API.
The problem is Keycloak security itself:
I want to restrict Keycloak client token only to user creation.
Any user has to be able:
1. Fully access and manage ONLY his own profile.
2. Has restricted access to profiles of other users.
3. Any other operation of viewing other users, adjusting
roles etc. should be enabled only if authenticated user
has some kind of permission to do it.
For example:
Anybody can create user (signup).
After user is verified, some role is assigned to that user.
User logs in and acquire its token that has permissions to fully manage only his own resources including user itself and has restricted access to other users and user resources.
I am not sure I want to integrate Keycloak as resource security manager (i am considering that option but for now, only Spring Boot Adapter was implemented to control corresponding resources security) but at least i would like to prevent e.g. reading full list of users using Keycloak client token.
I have basic understanding of Keycloak Resource/Policy/Permission Feature but I am not sure i understand how can i apply it to Keycloak users itself.
Thanks a lot in advance for your help.
I have configured a custom SAML app in Google Workspace and configured AWS Opensearch to use SP-initiated SSO.
I am able to access OpenSearch via the URL but I get the following error
Missing Role
No roles available for this user, please contact your system administrator.
I guess there are some SAML attribute mapping and group set up that are required. I've created an opensearch group in Google for users that I wish to have access.
I think the following AWS Opensearch parameters require a value
SAML master backend role
Subject key
Roles key
From what I can see, the issue is that you need to create a custom attribute inside the Admin console of Google Workspace with the "roles" for AWS Opensearch.
You can also read this information in the AWS documentation.
This was resolved using and IdP initiated authentication flow instead. The links posted in answers above helped us implement this.
We are considering to use the keycloak as our SSO framework.
According to the keycloak documentation for multi-tenancy support the application server should hold all the keycloak.json authentication files, the way to acquire those files is from the keycloak admin, is there a way to get them dynamically via API ? or at least to get the realm public key ? we would like to avoid to manually add this file for each realm to the application server (to avoid downtime, etc).
Another multi-tenancy related question - according to the documentation the same clients should be created for each realm, so if I have 100 realms and 10 clients, I should define the same 10 clients 100 times ? is there an alternative ?
One of our flows is backend micro-service that should be authenticated against an application (defined as keycloak client), we would like to avoid keeping user/psw on the server for security reasons, is there a way that an admin can acquire a token and place it manually on the server file system for that micro service ? is there a option to generate this token in the keycloak UI ?
Thanks in advance.
All Keycloak functionality is available via the admin REST API, so you can automate this. The realm's public key is available via http://localhost:8080/auth/realms/{realm}/
A realm for each tenant will give a tenant-specific login page. Therefore this is the way to go - 10 clients registered 100 times. See more in the chapter Client Registration of the Keycloak documentation. If you don't need specific themes, you can opt to put everything in one realm, but you will lose a lot of flexibility on that path.
If your backend micro service should appear like one (technical) user, you can issue an offline token that doesn't expire. This is the online documentation for offline tokens. Currently there is no admin functionality to retrieve an offline token for a user by an admin. You'll need to build this yourself. An admin can later revoke offline tokens using the given admin API.
I am using WSO2 Identity server product version 5.0.0. I use SP1. In our latest architecture we use a specific login page for each service provider. Each service provider can be configured under different tenant domains, eventually with differences (for an example, for a tenant is configured the internal and the facebook login but for another tenant just the internal login).
I want to know if it is possible to visualize on the login page the external Identity provider login button according to the Service provider configuration under the specific tenant domain. Please help me to solve this, I am stuck on this advance configuration. I could not find any documents for this.
Yes, according to my knowledge your requirement is possible with WSO2-IS.
Please refer document [1] for Customizing the login page for SAML SSO service providers.
And you can get more custom configuration details using this blog as well. [2]
Also if you need to re-theming wso2 management console, that also possible with WSO2-IS. Please find the reference document [3].
[1]https://docs.wso2.com/display/IS500/Customizing+Login+Pages
[2]http://dulanja.blogspot.com/2014/01/wso2-is-samlsso-customizing-login-page.html
[3]http://wso2.com/library/tutorials/2011/12/retheming-carbon-products/
Frequently, I'm create standalone services in Bluemix. For example, Analytics for Apache Hadoop, Cloudant and DashDB.
I don't need an application to work with these services, but it seems I have to bind to an application just to get access to the VCAP_SERVICES environment variables with urls, usernames, passwords, etc.
Question: How to get VCAP_SERVICES environment variables WITHOUT binding to an application?
For many services, you will have to bind them to an app in order to get the VCAP_SERVICES credentials.
There is a service key capability which some services are starting to adopt which allows you to create and access credentials without binding to an app. Using the cf command line tool, the commands below are available to use if a service supports them:
SERVICES:
create-service-key, csk Create key for a service instance
service-keys, sk List keys for a service instance
service-key Show service key info
delete-service-key, dsk Delete a service key
The CloudFoundry docs at https://docs.cloudfoundry.org/devguide/services/service-keys.html provide more detail.
In the Bluemix UI, you would see a 'Service Credentials' option in the panel when viewing a service dashboard when a service supports this capability. Selecting this option allows you to see credentials that have been created as well as an "Add Credentials" button to create new ones.