-
15. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
wildfly1 Jun 19, 2018 12:11 PM (in response to claudio4j)Content of the file is layers=keycloak
Created under Wildfly_Home/Modules.
I have just removed the file and run that jboss.cli command but still I show the error
./jboss-cli.sh --file=adapter-elytron-install-saml.cli --connect --controller=0.0.0.0:xxxx
Authenticating against security realm: ManagementRealm
Username: xxxx
Password:
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0310: Extension module org.keycloak.keycloak-saml-adapter-subsystem not found",
"rolled-back" => true
}
-
16. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
wildfly1 Jun 19, 2018 12:16 PM (in response to claudio4j)I actually created layers.conf file by using the below doc :
[KEYCLOAK-5185] WildFly Overlay not working due to missing layers.conf - JBoss Issue Tracker
Its created under Wildfly_Home/Modules
Content is layers=keycloak.
But now removed that .conf file
Ran below jboss.cli command . But still showing the error
./jboss-cli.sh --file=adapter-elytron-install-saml.cli --connect --controller=0.0.0.0:xxxx
Authenticating against security realm: ManagementRealm
Username: xxxx
Password:
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0310: Extension module org.keycloak.keycloak-saml-adapter-subsystem not found",
"rolled-back" => true
}
-
17. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
claudio4j Jun 19, 2018 2:00 PM (in response to wildfly1)Are you using the keycloak server or keycloak overlay ? If using overlay, is there a need for that ?
That doc to use the layers.conf is when you have an existing wildfly installation and wants to reuse to install the keycloak binaries to turn it into a keycloak server, but that is not a recommended solution for production.
The keycloak binary adapters should be unzipped in the wildfly directory, not the keycloak server directory.
What are the paths for the wildfly and keycloak server ? and in which one are you unzipping the adapters ?
-
18. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
wildfly1 Jun 19, 2018 2:08 PM (in response to claudio4j)Hi Claudio,
I have installed keycloak saml adapters and unzipped the file and ran jboss-cli.sh and it was sucessful this time :
Not sure what I have to do for the next step.
{
"outcome" => "success",
"result" => [("keycloak-saml" => "1.1.0")]
}
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
{
"outcome" => "success",
"response-headers" => {"process-state" => "reload-required"}
}
{
"outcome" => "success",
"response-headers" => {"process-state" => "reload-required"}
}
{
"outcome" => "success",
"response-headers" => {"process-state" => "reload-required"}
}
{
"outcome" => "success",
"response-headers" => {"process-state" => "reload-required"}
}
{
"outcome" => "success",
"response-headers" => {"process-state" => "reload-required"}
}
{
"outcome" => "success",
"response-headers" => {"process-state" => "reload-required"}
}
{
"outcome" => "success",
"response-headers" => {"process-state" => "reload-required"}
-
19. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
claudio4j Jun 19, 2018 2:53 PM (in response to wildfly1)The cli script already adds a realm KeycloakSAMLRealm, a security domain KeycloakDomain, and http-authentication-factory=keycloak-http-authentication, for your application to use it as an example.
But I recommend, to read the SAML chapter of keycloak documentation to see how to fine tune for your applications.
https://www.keycloak.org/docs/latest/securing_apps/index.html#saml-2
-
20. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
wildfly1 Jun 19, 2018 3:09 PM (in response to claudio4j)I have seen that document.
I have configured IDP related info on keycloak admin console
and insatlled Keycloak saml adapters on wildfly server.
Now I have to do application related configurations for single sign on .
No Idea where to star.
Do I have to take any file from keycloak admin console and copy that file to wildfly server ?
Or any other stuff to do
-
21. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
claudio4j Jun 20, 2018 10:10 AM (in response to wildfly1)I recommend the keycloak forums.
-
22. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
wildfly1 Jun 25, 2018 12:00 PM (in response to claudio4j)Hello Miranda,
https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/jboss-adapter.html
Do you know that this the section 4.2.1.2 is a part of single sign on configuration ?
Thanks,
Lily
-
23. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
claudio4j Jun 25, 2018 2:40 PM (in response to wildfly1)> Do you know that this the section 4.2.1.2 is a part of single sign on configuration ?
Yes, it deals with the installation of the keycloak adapter binaries to a wildfly appserver and how to configure an application to use keycloak sso.
-
24. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
wildfly1 Jun 25, 2018 2:45 PM (in response to claudio4j)that's what where I stuck, securing app by using the keycloak saml adapters .
-
25. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
claudio4j Jun 25, 2018 2:52 PM (in response to wildfly1)See the section related to SAML https://www.keycloak.org/docs/2.5/securing_apps/topics/saml/java/saml-jboss-adapter.html
-
26. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
wildfly1 Jun 25, 2018 3:03 PM (in response to claudio4j)Thanks for sharing the doc.
I wanna take this option "Securing WARs via Keycloak SAML Subsystem"
we need to configure this instance's .xml file
<extensions>
<extension module="org.keycloak.keycloak-saml-adapter-subsystem"/>
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1">
<secure-deployment name="WAR MODULE NAME.war">
<SP entityID="APPLICATION URL">
...
</SP>
</secure-deployment>
</subsystem>
</profile>From above content which is given in document . I did not get this thing from the lines "
The
secure-deployment
name
attribute identifies the WAR you want to secure. Its value is themodule-name
defined inweb.xml
with.war
appended."Do I have to put like this </secure-deployment> "sample.war" </secure-deployment> or </secure-deployment> "sample.war"
Sample.war is the deoplyment file which I have deployed on wildfly instance .
-
27. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
wildfly1 Jun 25, 2018 3:17 PM (in response to wildfly1)Also above is 1st doubt and my other doubts on this
You do not have to crack open a WAR to secure it with Keycloak. Alternatively, you can externally secure it via the Keycloak SAML Adapter Subsystem. While you don’t have to specify KEYCLOAK-SAML as an
auth-method
, you still have to define thesecurity-constraints
inweb.xml
. You do not, however, have to create aWEB-INF/keycloak-saml.xml
file. This metadata is instead defined within the XML in your server’sdomain.xml
orstandalone.xml
subsystem configuration section.(2nd doubt)
(2)do I have to define
security-constraints
inweb.xml ?
(2.a) :in that case there is no need to create keycloak-saml.xml file ?
(2.b)If I have to create keycloak-saml.xml file from where and what content needs to be in this keycloak-saml.xml file .
(3rd doubt)
(3)Which metadata is is already defined in standalone.xml file of wildfly instance ?
(3.a)As its already defined there is no need to define
security-constraints
inweb.xml?
(3.b)there is no need to create the keycloak.xml file under WEB-INF folder
-
28. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
wildfly1 Jun 27, 2018 10:59 AM (in response to wildfly1)Hello Claudio,
When I was trying to open the keycloak admin console
I'm getting below error
This site can’t be reached
ERR_CONNECTION_TIMED_OUT
-
29. Re: How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
claudio4j Jun 27, 2018 3:03 PM (in response to wildfly1)Hi Lilly, I am not familiar to keycloak to tell you about the SAML adapter config, the keycloak mailing list would be more useful for you
keycloak-user | Mailing List Archive
As for the error going to the keycloak admin console, it says the client browser can't reach the target hostname and port. From the console prompt, can you ping the keycloak server address and port with netcat ?