Can I make logout account from openAM and redirect on my service?
I tried to send url like this http://myHost/OpenAM-12.0.0/UI/Logout?goto=myService, but OpenAM redirect me to SignIn-page. Can I solve this problem?
You have to set property iplanet-am-auth-valid-goto-domains for your org.
You can do it with ssoadm tool
From OpenAM Admin Guide:
Valid goto URL domains
List external domains to which clients can be redirected after authentication.
This attribute requires valid DNS domains that reflect the set policy rules,
such as (need more reputation to post more than 2 links, see in admin-guide).
ssoadm attribute: iplanet-am-auth-valid-goto-domains
Related
I’m new in the Keycloak’s world and I need some help to configure my login flow.
I’ve configured Keycloak to allow people to login with their ADFS account or with a ldap account.
ADFS Identity Provider is configured to use OpenID Connect.
When people connect to my application, they are redirected to Keycloak where they see a login form and a button to login through ADFS.
This work perfectly, but we would like people not to see that screen if they are already logged in on ADFS and only see the login form if they’re not connected in ADFS.
I changed the browser flow to use the Identity Provider Redirector first and then display the username password form, in this case the user is automatically logged in via ADFS, but if the user is not logged in, ADFS asks for a password and the user is not redirected to Keycloak .
Do you know how can we configure Keycloak to implement that flow?
I’m using Keycloak 11.0.0-alfresco-001 (keycloak 11 packaged by alfresco (as alfresco-identity-service) with a custom theme. The code is available on Alfresco’s github .
Here’s my browser flow configuration:
IAM Browser flow
Thanks for your help
• Yes, its possible to configure keycloak to implement the desired flow as a brokered IdP in the following way: -
While configuring ADFS in keycloak and importing its federation metadata file in it, check the settings and enable validate the signature option for the authentication requests to be sent to ADFS, also enable ‘Want AuthnRequests’ signed option. Afterwards, set the signature key name field to CERT_SUBJECT as AD FS expects the signing key name hint to be the subject of the signing certificate.
Then check the mappers for group and attribute claims in keycloak for transforming the details through SAML assertion to keycloak user store.
After that, check the descriptor URI that needs to be set by modifying the ADFS redirect URI by adding the ‘/descriptor’ to the redirect URI in this field. The URI will be like ‘https://kc.domain.name:8443/auth/realms/master/broker/adfs-idp-alias/endpoint/descriptor’.
Also, please ensure that the signing certificate for the keycloak in ADFS claims provider is not self-signed and is issued from a trusted third-party CA and installed in the server’s local system certificate store.
Disable certificate revocation check for the certificate installed on the Adfs server and ensure ‘backchannel logout’ option is checked in keycloak
• Once the above settings are checked thoroughly, the default login redirection page should be displayed after that and the user should be able to select the IdP from the login page accordingly.
Please find the below links for more information: -
https://www.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
Keycloak AD FS Interaction
I have a Keycloak server hosted in Kubernetes. When I request to external identity provider (like Google/Facebook), the hostname was used in the redirect url automatically. How can I change the redirect URL for my identity provider?
The auto generated redirect_url from Keycloak:
http://keyclaok:8080/auth/realms/{MY_REALM}/borker/google/endpoint
What I'm expected:
http://www.example.com/my-custom-callback/endpoint, this url will redirect to the original keyclaok endpoint.
My identity provider settings in Keycloak
The auto_generated redirect_url (shown in the UI) should not be relevant for you.
Afaik keycloak just build up the url with the current hostname you are accessing keycloak.
So when you access your admin console via
http://keyclaok:8080/
Redirect URL for a google Identity Provider is shown as
http://keyclaok:8080/auth/realms/{MY_REALM}/broker/google/endpoint
If you access keycloak over your domain
http://www.example.com/auth
and try to authenticate over google, the valid redirect URL will be
http://www.example.com/auth/realms/{MY_REALM}/broker/google/endpoint
In my opinion you can't decide how the redirect url will look like (especially not the suffix realms/{MY_REALM}/broker/google/endpoint), because it's relative to the keycloak base URL and keycloak needs it internally to map a answer to the correct realm and IDP
But I think you shouldn't have a problem with such a url, as long as keycloak is accessible over your domain
I am trying to configured SAML SSO with OpenAM as SP and PingFederate as IDP with SP-Initiated SSO and using Redirect-Post binding. I am using kerberos adapter for implementing SSO.
I have configured Kerberos adapter to use "e-glue.com" domain and provided KDC details in the configuration. I have also added "setspn" of Pingfederate server in domain controller properly.
However when I login to a computer with valid "e-glue.com" user and hit SSO url with "https://hostname.e-glue.com:1912/openam/saml2/jsp/spSSOInit.jsp?idpEntityID=ent-026330&metaAlias=/sp" it redirects me to IDP and SSO is successful and user gets created in openam.
But if I do the same thing with other domain.. which is not "e-glue.com", it still autheticates the user and user is created in openam.
This is so strange, there is something missing as the user which is not part of e-glue domain though we configured kerberos adapter to use e-glue.com KDC, is getting authenticated. I am missing something, not sure what.
Please share if you have any information about what is going wrong.
It happened because of inter-domain trust relationship.
PingFederate (IDP) is configured to authenticate users via "e-glue.com" domain.
So I logged in to my computer which was in domain "someother.domain".
But this "someother.domain" implemented an Active Directory directory service forest and has trust relationship between "e-glue.com" and itself. So all users logged in to IDP are also VALID users because of trust relationship.
It took me some time to understand this.
I have configured ADFS 3.0 in my lab and trying to integrate with Salesforece. When I try to access the SalesForce using ADFS. It redirects me to ADFS login page which is expected behavior but after entering the credentials, it automatically redirect to internal IP Address instead of DNS name. I have checked on ADFS server but nothing found abnormal.
First URL (Login Page)
https://adfs.mycompany.com/adfs/ls/?SAMLRequest=
After entering the credentails, redirects to below URL
https://10.25.218.25/adfs/ls/?SAMLRequest=
Please help.
End point URL : https://i.stack.imgur.com/4k1cb.png
jira.service.bd
confluence.service.bd
crowd.service.bd
These should have the same SSO domain, so I set .service.bd
My crowd console URL:
http://crowd.service.bd:8095/crowd/console
I configure the custom domain in /etc/hosts as:
172.16.20.101 crowd.service.bd
If I configure the SSO domain as crowd.service.bd, I get Crowd login success.
If I use .service.bd, then the Crowd login will be a redirect. As this link Crowd Login Redirected said.
I suppose I should have something wrong about domain and subdomain. Should I configure second level domain on my host?
The solution is:
Change
jira.service.bd
confluence.service.bd
crowd.service.bd
To
jira.bdservice.com
confluence.bdservice.com
crowd.bdservice.com
And then set sso domain to .bdservice.com, then everything is OK.
I suppose crowd couldn't recognize .bd as top level domain.