Problem :
I use Keycloak 19.0.1 behind a proxy (nginx) and wasn't able to connect to the admin part of keycloak.
With a reverse proxy nginx and keycloak, login in admin console lead to be blocked on :
/realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=security-admin-console ....
With a 204
return code and no other errors.
Solution :
I had to explore keycloak source code to find the cause ; This test failed in keycloak.js : if ((event.origin !== loginIframe.iframeOrigin)
in keycloak.js
After a (lot of) time of search, it appears that it compares : https://mydomain/keycloak
and https://mydomain:443/keycloak
because I'd setup hostname-port
to 443
in keycloak.config.
My keycloak configuration :
hostname=mydomain
proxy=reencrypt
hostname-strict=false
hostname-port=443
hostname-path=keycloak
http-relative-path=keycloak
hostname-admin-url=https://mydomain/keycloak
So keycloak build his URL as follow : https://mydomain:443/
And the browser send : https://mydomain/
as 443 is a default port and not displayed in the URL.
By removing the port, it works perfectly :
#hostname-port=443
I open a discussion to improve documentation here
Problem :
I tried to connect Broadcom Introscope 10.7 and SAML given by Keycloak.
Based on these documents :
Well not enough to make it works.
Solution :
Thanks to remote debug mode, the key is that the callback URL is :
https://<webview url>/saml.jsp
Search for saml.jsp + introscope on google. Good luck.
Here are the steps (assuming that you already have a keycloak realm up and ready) :
Step 1 : IntroscopeEnteprise.properties
introscope.saml.enable=true
introscope.saml.request.binding=POST
introscope.saml.idpUrl=<URL_KEYCLOAK>/realms/<your realm>/protocol/saml
introscope.saml.issuer=com.ca.apm.webview.serviceprovider
introscope.saml.webstart.issuer=com.ca.apm.webstart.serviceprovider
introscope.saml.em.issuer=com.ca.apm.em.serviceprovider
introscope.saml.principalAttributeName=principalName
introscope.saml.groupsAttributeName=groups
introscope.saml.webstart.tokenTimeoutInSeconds=60
introscope.saml.internalIdp.enable=false
# introscope.saml.internalIdpUrl=http://localhost:8080/idp/profile/SAML2/POST/SSO
Step 2 : Keycloak configuration
- Create a client named as
introscope.saml.issuer
so in our case : com.ca.apm.webstart.serviceprovider
- Enter the callback URL in
Master SAML Processing URL
: https://<webview url>/saml.jsp
Step 3 : Certificates
You should secure you communication between Introscope and Keycloak :
- Provide HTTPS for Keycloak
- Provide HTTPS for Introscope
- Sign information in Keycloak client
- Import Keycloak key in a JKS truststore for Java (Webview part). Keycloak client certificate are in the client definition, tab “Keys”.
- Follow Official guide to create the JKS
- Point to this truststore (example : spprivatekey.jks) - next steps.
Step 4 : IntroscopeWebview.properties:
apm.webview.saml.sp.truststore=/path/to/spprivatekey.jks