I have a Keycloak instance running with a realm and 2 different clients configured: a public one for my Angular app, and a confidential one for the Grafana instance.
I managed to login to each of them separately using Keycloak (so when I click login i am redirected to the Keycloak login page and log in with the credentials of the user i created in Keycloak).
However, I cannot figure out how to link the 2 of them such as when I log in to my Angular app, for example, when I visit the grafana instance, I am already logged in there too, and viceversa.
Did anybody manage to achieve this and could please tell me what I'm missing?
Thank you!
Related
I have an web application a running on my local machine. There is a link in the view page to go to Oracle Cloud Interface dashboard. Upon clicking the link, idcs login page appears. Provided the credentials, the dashboard appears.
Is there any way to automate the login process under the hood? I don't want users to put credentials every time when anyone wants to visit the dashboard page.
Configure and enable Single Sign-on (SSO) on Oracle Cloud on your tenancy. Set SSO as default login. Refer: https://docs.oracle.com/en/cloud/paas/content-cloud/administer/enable-single-sign-sso.html
After this any external user logs in, he would be redirected to SSO login page, if the user is already logged in with SSO, it would even bypass SSO login and he will directly land in the OCI console/dashboard.
Have you tried using the token-based authentication method? You could use OCI CLI to get the token and then use it in your automation code. You can use the SDKs to automate the whole process and SDKs can use the same token for OCI authentication.
https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/clitoken.htm
Thanks.
I'm not expert on this subject.
On Keycloak on the same realm we have defined two client ID.
My client ID are configured with OpenID connect and authorization code flow.
Like this a user can be authenticated with its credentials over these clients.
I have a problem. One of my user shares the same Keycloak session between these two differents client ID. In the fact, when user log on client A, he is logged out of client B. And same when he logs in client B, he is logged out of client A.
Why it's possible to share the same Keycloak session? And how to be sure to have two different Keycloak session.
UPDATE: I noticed, when the user logs in over client A or client B, he uses the same browser. If he logs in over client A, he doesn't need to enter its login/password over client B. The result is there is one Keycloak session. (If user uses different browser of each client, there is one keycloak session by client). Is it possible to force, one keycloak session by client ID?
What you are describing is a basic function in almost all AM software implementing OIDC, there is no such a thing as log in to clientA, the users always log in to the IDP, i.e. Keycloak.
Clients dont have sessions by default, keycloak does, and clients use keycloak session in thier OIDC flow. For example if you are already authenticated to keycloak, and you tried to do OIDC flow with ClientA or ClientB, you wont be prompted to enter username/password, keycloak will use the existing session.
So if you want to have different session for the same user, then you have to create your own session, for example if your clients are using apache, you can use apache oidc module to create a local session ( which will be your ClientA session), as for keycloak session, you cant have two sessions, but you can have one keycloak session for the two clients and two apache session for each clients.
I am trying to allow users log in with multiple social media identity providers but have them linked to one email using Keycloak 8.0.1. Logging in for each one IDP works.
When I try to first login with google this works. When I then log in with facebook, I am getting
KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException. Futher in the log I see a IDENTITY_PROVIDER_FIRST_LOGIN_ERROR. The message is I am just using the default authentication flows - First Broker login as First Login Flow and empty as Post Login Flow.
I assume the Authentication flow needs to be adjusted somehow?
Any ideas are much appreciated.
Can anybody let me know the possibility/steps to use Kentor Authservices with customer ADFS ?
So far we have successfully implemented Kentor library to integrate with customers' Okta setups (Okta as the IdP). We have got another customer requiring their employees to login on our site using its ADFS credentials.
For test purpose, I added another IdP node in the web.config setting login.microsoft.com as "signOnUrl" to post SAML login request, and expected to redirect back to our portal after authentication. But it presented with Microsoft apps options page and stayed there. What should be "entityId" ? How to set "ReturnUrl" etc are blank area for me as of now.
I need to know what direction I should move to enable SSO using customers' adfs with Kentor.
On the ADFS side you can import the AuthServices metadata. It would be on:
https:/xxx/AuthServices/ address.
On the Kentor side, use the ADFS metadata:
https://my-adfs/FederationMetadata/2007-06/FederationMetadata.xml
The entityID, endpoints etc. are all there.
We have all the user data in our local mysql database. We are moving our services to cloud and I need to use cloudfoundry UAA to authenticate by calling a login microservice endpoint on our network instead of doing uaac add user for all the users in db.
I am new to this, it would help me if you can explain the steps to do it.
Thanks in advance
I assume (based on the SAML tags on your question) that you are thinking of doing this with SAML. If this is your first time doing SAML then there is a bit of learning curve. If so you may find it easier to just creating a custom Login app.
SAML
You would setup an Identity Provider and the IdP would authenticate users against either mysql or your login microservice. simplesamlphp can be used for this purpose. A user would authenticate to the IDP, the IdP generates a SAML assertion (e.g a signed xml doc with information about the user) that gets sent to the Service Provider (UAA). The service provider then looks at the assertion to determine who the user is. UAA supports SAML logins. It has been a while since I've set it up that way, but I recall you run a separate 'login' war from the rest of UAA, and the login war uses APIs to talk to UAA. You also need to configure the SAML trust relationship between ssp and the UAA login war. This isn't hard to do if you are familiar with SAML. If you aren't then it can be difficult to get all the pieces right.
Custom Login App
I think an easier approach is to just build your own login app that calls your authentication service and the UAA apis. UAA provides a sample app and documentation