We use keycloak 9.0.3 and connect it to an SAML IdentityProvider. We want to use LDAP for UserFederation but not for Authentication, because Authentication is made by smartcard. But we want to access additional LDAP information e.g. groups. Is it possible to disable LDAP authentication?
I found the solution:
Under "Authentication" on the "Flows" Tab select "Browser" in the drop down.
Then set "Identity Provider Redirector" to disabled.
Related
Is it possible to made a 2-factors authentication with OIDC Identity Brokering
I'm trying to use TOTP to setup the 2-factors authentication, it work for password authentication method but not with OIDC Identity Brokering.
1- with password method:
login + password
OTP password
succes login
2- with OIDC Identity Brokering:
select oidc provider
select account
succes login
is it possible to add stage otp password in oidc method?
May someone know the issue?
It is not a problem of OIDC protocol (actually, I guess your are using OIDC in both cases), but used authentication flow. Make sure you have properly configured First Broker Login flow, which fit your needs. For example:
Source: https://github.com/keycloak/keycloak-community/blob/master/design/multi-factor-admin-and-step-up.md
But I would say it won't be clever idea to require TOTP in the Keycloak in this setup, when Keycloak is only middle layer (Identity Brokering). The proper config will be to configure (T)OTP on used OIDC provider (that's another IDP, which is only used by your Keycloak).
I have synchronization between OpenLDAP and Keycloak via user federation, everything works fine(import from LDAP, authentication, etc).
I need to have a possibility to disable Keycloak user from LDAP. I know that it is possible to disable a user from Keycloak, but is there a way to do the same from LDAP? Maybe add some attribute to LDAP record which will be mapped to Keycloak record and user will be disabled.
My goal is: disable authentication for a particular user using LDAP.
I managed to make it work with fedora 389.
I created an "enabled" attribute as String and created the corresponding mapper in the federation configuration as "user-attribute-ldap-mapper".
Now when I change the "enabled" switch in keycloak the change is propagated to ldap
Let's say I want to have keycloak synced with the LDAP and use it as the source for authentication. (I've managed to do this already)
But is there a way to let the keycloak be itself the identity provider if, for some reason, the LDAP connection is down?
First you should avoid ldap going down, by setting HA, using HAproxy and keepalived for example, as for Keycloak, you can disable "Sync Registrations" in your keycloak LDAP IDP, and create users using the admin interface, these users are stored in your local database of keycloak, and not on the LDAP so even if its goes down those users can stil get access to Keyclaok.
Refer to https://www.janua.fr/understanding-keycloak-user-federation/ for more details.
I managed to create a custom LDAP Storage Provider to do this.
check How to create a custom UserStorageSPI on Keycloak
I am trying to migrate our companies Active Directory using LDAP to whitesource, however it does not officially support LDAP. I am trying to see if there is a way to install SAML on my LDAP which could enable whitesource to connect to my LDAP using SAML. Any help would be greatly appreciated!!
You can not really use SAML to migrate user identity information from AD to some other identity silo.
However you could use ADFS (on top of AD) to act as an SAML IdP, WhiteSource as SAML SP and then perform SAML 'autofederation' to populate the identity silo on the SP side with some specific identity attributes.
I don't know whitesource though. (https://whitesource.atlassian.net/wiki/spaces/WD/pages/547356829/WhiteSource+SAML+2.0+Integration ?)
Please note I am new to the applications I am mentioning so I might use the terminology incorrectly. I've added a few diagrams to explain myself as best I could.
I am trying to setup a web service authentication policy in APIMAN (which uses Keycloak internally)
So far I know the Identity Provider (OpenAM) I created in Keycloak is configured correctly since it is working on the Login page (see image 1 below)
I have also successfully used an access_token via Keycloak's OpenID API to access a web service; but only if the user credentials are in Keycloak (as oppossed to OpenAM) (see image 2)
What I'd like to achieve is to authenticate this web service client via Keycloak but using the Identity Provider's credentials, but I do not know how to do this or if it is even possible. (see image 3)
Please note I also tried User Federation with the LDAP behind OpenAM and it worked correctly, but I would like to know if there is a way to do it via OpenAM.
The way you used keycloak and openam is quite unusual, however if i understand correctlly your question, you want keycloak to redirect the webservice request to openam, not ldap,
You can either:
configure openam as a identity provider using saml:
Openam would be your source of identity, and keyclaok would be his clients, you can do this by configuring keycloak: identity provider -> saml IDP -> and here you will place openam metadata.
configure openam as OIDC provider:
In keycloak you go to identity providers -> create -> oidc v1 provider -> and you will place your openam info.
As i said, its can be done, but its not the way its suppossed to be, openam and keycloak are both Access management software, they both do exactly the same thing, in your configuration keycloak play a role of an API gateway, which is not exactly what keycloak should be doing, you can get get rid of either one of the solutions, both can provide you the same functionnalities (OIDC, OAuth2, SAML, LDAP, ...)