keycloak managed password with federated users - passwords

Is it possible to manage the password by keycloak with federated users? I have users
federated from external database and currently also the password is being checked from the external database.
Is there a possibility to register a password in keycloak for the user just after that user is created in the external database and then federated to keycloak?
My motivation is having the built in password reset functionality of keycloak not building extra SPI code for this on federated users.

It is not really clear from your question, but since you have federated users from an external database, I assume you have implemented your custom UserStorageProvider. You are also validating passwords against your external database. So, I assume you have also implemented CredentialInputValidator interface. If you have not implemented CredentialInputUpdater, I would assume what you are trying to achieve should work out of the box.
If you have implemented CredentialInputUpdater, you could try to do the following:
Within you implementation of CredentialInputValidator.isvalid first check if the user has a local password configured, e.g. like this
keycloakSession.userCredentialManager().isConfiguredLocally(realm, user, credentialInput.getType())
If this is the case (returns true), simply have isValid return false. In this case Keycloak should use other CredentialInputValidators and check for the locally configured password.
If this is not the case (returns false), do the password check against your external database. Iff the password is valid, silently migrate the password to Keycloak's local credential store. This could look something similar to this:
CredentialProvider passwordProvider = keycloakSession.getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID);
if (passwordProvider instanceof CredentialInputUpdater) {
((CredentialInputUpdater) passwordProvider).updateCredential(realm, user, credentialInput);
}
Within CredentialInputUpdater.updateCredential make sure to update the local store in addition to the password in your database.
Now your user's passwords will be stored in Keycloak's local database / credential store and the built in password reset functionality should work as expected.

Is there a possibility to register a passward in keycloak for the user
just after the user is created in external database and then federated
to keycloak?
From the Keycloak Documentation itself:
By default, Keycloak will import users from LDAP into the local
Keycloak user database. This copy of the user is either synchronized
on demand, or through a periodic background task. The single exception
to this is the synchronization of passwords. Passwords are never
imported. Their validation is always delegated to the LDAP server. The
benefits of this approach is that all Keycloak features will work as
any extra per-user data that is needed can be stored locally. The
downside of this approach is that each time that a specific user is
queried for the first time, a corresponding Keycloak database insert
is performed.

Related

Login another salesforce org from salesforce record page

I was wondering if it was possible to login to different salesforce environments (Sandboxes, scratch orgs, production env, etc) using either Apex/LWC/Aura (or anything that I can make a quick action to). For example, I have a list of credential records, with the username and password, and I would like to have a login button that creates a separate tab that can automatically redirect to that specific instance and log in.
Currently, if a user wants to login to a particular instance, they have to either go to test.salesforce.com or login.salesforce.com (depending on if it's a sandbox or production) manually, then copy the password and username in. The ideal situation is to have a login button that can do this automatically from the record page where the username and password is located.
I think previously this could have been accomplished through the URL, but salesforce has recently patched this out due to security concerns. Is there another good way to do this?
It sounds like you're trying to solve two specific challenges:
Your users need to be able to manage very high volume of credentials.
You need authentication to survive password resets.
The clear solution, in my mind, is to use the OAuth Web Server flow to execute initial authentication and then store the refresh token that results from this flow. This token survives password resets, and may be used more or less indefinitely to create new access tokens - which users can then use to log in via a frontdoor link.
There's an out-of-the-box tool that does this already: the Salesforce CLI. You can authenticate orgs to its toolchain, name them, and subsequently access them with a single command (sfdx force:org:open). Users that prefer a GUI can access the exact same functions in Visual Studio Code.
If you're hellbent on doing custom development to handle this use case, you can, but you need to be very careful of the security implications. As one example, you could implement an LWC + Apex solution that executed the relevant OAuth flows against orgs and stored the resulting data in an sObject, then allowing users to click a button to generate a new access token and do a one-click login.
But... if you do this, you're storing highly sensitive credentials in an sObject, which can be accessed by your system administrators and potentially other users who have relevant permissions. That data could be exfiltrated from your Salesforce instance by an attacker and misused. There's all kinds of risks involved in storing that kind of credential, especially if any of them unlock orgs that contain PII or customer data.
One of the two best answers for that (the other one being 'pure Apex' and relatively more complex) is using Flow.
"You can use a login flow to customize the login experience and integrate business processes with Salesforce authentication. Common use cases include collecting and updating user data at login, configuring multi-factor authentication, or integrating third-party strong authentication methods.enter image description here"
"You can use login flows to interact with external third-party authentication providers by using an API.
For example, Yubico offers strong authentication using a physical security key called a YubiKey. Yubico also provides an example Apex library and login flow on GitHub. The library supplies Apex classes for validating YubiKey one-time passwords (OTPs). The classes allow Salesforce users to use a YubiKey as a second authentication factor at login. For more information, see yubikey-salesforce-client.
You can also implement a third-party SMS or voice delivery service, like Twilio or TeleSign, to implement an SMS-based multi-factor authentication and identity verification flow. For more information, see Deploy Third-Party SMS-Based Multi-Factor Authentication."
learn more here: enter link description here

Can Keycloack replace dap authentication?

Sorry but it doesn't accept "hi everyone "
I have several apps which are authenticated by ldap. can keycloack replace this authentication with ldap? and in this way I do not touch to the configuration Of applications ?
Thank you
You can read this article https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/user-federation/ldap.html
By default Keycloack copy your ldap data but you can choose keycloack use your ldap data :
By default, Keycloak will import users from LDAP into the local Keycloak user database. This copy of the user is either synchronized on demand, or through a periodic background task. The one exception to this is passwords. Passwords are not imported and password validation is delegated to the LDAP server. The benefits to this approach is that all Keycloak features will work as any extra per-user data that is needed can be stored locally. This approach also reduces load on the LDAP server as uncached users are loaded from the Keycloak database the 2nd time they are accessed. The only load your LDAP server will have is password validation. The downside to this approach is that when a user is first queried, this will require a Keycloak database insert. The import will also have to be synchronized with your LDAP server as needed.
Alternatively, you can choose not to import users into the Keycloak user database. In this case, the common user model that the Keycloak runtime uses is backed only by the LDAP server. This means that if LDAP doesn’t support a piece of data that a Keycloak feature needs that feature will not work. The benefit to this approach is that you do not have the overhead of importing and synchronizing a copy of the LDAP user into the Keycloak user database

Use keycloak as auth service or IDP?

So, im doing research to know if its a good alternative to implement keycloak on the environment i'm working at.
Im using LDAP to manage users at my workingplace. I was wondering if is there a way to use keycloak as auth service in all upcoming systems and some of the existing ones. We are currently managing it with an IDP that we need to improve or replace, also there are some systems use their own login (this will eventually change).
The main problem i've crossed is that keycloak synchronizes against ldap and i dont want user data to be stored on keycloak, maybe if its only login data. User data is planned to be kept only on ldap's database in case that any userdata needs to be updated.
So is there a way to use keycloak only as an auth service fetching user credentials from ldap on every auth request?
pd: maybe i am mistaken on the meaning of what's an auth service an whats an IDP.
Actually it is not necessary that LDAP users are synced to Keycloak.
Keycloak supports both options
Importing and optionally syncing users from LDAP to Keycloak
or
Always getting the User info from LDAP directly.
But keycloak will always generate some basic federated user in it's database (e.g. for keeping up a session when using OpenID Connect - but you should not really care about that).
As far as I know (but I've not used that myself) you could also use keycloak to maintain the LDAP users data and write changes back to LDAP (see "Edit Mode" in Keycloak documentation)
Check Keycloak documentation regarding LDAP stuff to get more information https://www.keycloak.org/docs/6.0/server_admin/#_ldap
Beside the User-Data Topic, Keycloak provides a lot of different Protocols (like SAML and OpenIDConnect) to provide authentication for your services. So you could use different/multiple authentication protocols depending on your applications with just one "LDAP-Backend"

Using Flask Login with LDAP safe and secure

I am creating a login page with an authentication using LDAP. I could see LDAP3 packages for flask with login forms as well. I am looking for a form where the developer of the portal(say me or anyone in our team) should not be able to add any print statements and sniff the username and password when someone log in...
The flask form is exposing the password variable as a plain string. Even if it doesn't expose , it is possible to put a print statement in the flask_form validate function.
Is there any option available like the form is bundled as binary or c-python module where the developer has no option to sniff the credentials at all..
If not possible or no options available as they know off, any other framework like django helps for these usecase?
By design, server-side LDAP authentication requires the server receive the username & password from the user and relay that information to the LDAP server. This means a developer could insert a line that logs all credentials out somewhere, grab the passwords from process traces, dump memory, etc. If you don't want any of the developers or system administrators to have access to user passwords, use some type of federated authentication instead of LDAP.
In a federated authentication scheme, the user auths against some other source (e.g. ADFS) and your app checks a token that essentially says "this trusted other auth source says the person is Lisa".

Is it a loophole to join ldap authentication?

If multiple systems join ldap authentication, then any administrator of any one of them can get the password of any user's account.right?
Applications authenticating against an LDAP directory are not going to be able to access all of the user passwords en mass provided you do not not permit direct read access to the attribute or you do not store your passwords in clear text (if you use something like ldapsearch to dump an entry and have userpassword:: followed by a bunch of random looking 'stuff', that's an easily decoded clear text password). App I allow to access my LDAP server aren't given access to read all of the userPassword values to attempt reversing them out to clear text (and I'm using a decent encryption mechanism to store userPassword value). I restrict the application service account to reading contact-type attributes (phone number, address) and group objects. The only way they get the user's password is by asking the user for it and binding against my directory with those credentials. Can an app admin grab credentials for those who use the application? Sure, they could.
On an out of the box application, I could attach a debugger and access the username/password values as they transit the application. With custom-written applications, it's even easier to grab the credentials. The application takes the username and password as user input and binds to the LDAP server to validate the username and password. As an LDAP server admin, there's nothing I can do to prevent the application developer from making calls and doing other things with that username and password. "Other things" may be legit -- I've handled LDAP directory migrations by authenticating against the old system and, on success, creating the user in the new directory LDAP with the password the old directory just accepted. It was an ugly way to migrate directories, but it worked. "Other things" may be malicious. Is it likely to encounter an app admin or developer who is siphoning off credentials? Depends on who authenticating through your LDAP directory.
This isn't a unique failing of LDAP -- any authentication back-end that you let other people use directly suffers from the same problem. If you don't want the app admins/developers intercepting user credentials, look into federated identify management (FIM) -- an authentication mechanisms where the app (service provider, in FIM terminology) doesn't have access to the username and password but rather validates a token of some sort that was created after a trusted "identity provider" authenticated the username and password.