Missing eIDAS SAML Extensions Config options

grnet / eidas-keycloak-extension

Keycloak Identity Provider Extension which supports the extended SAML v2.0 dialect of the European Union eIDAS Nodes.

Apache License 2.0

27 stars 8 forks source link

Missing eIDAS SAML Extensions Config options #2

Open t0pito23 opened 1 year ago

t0pito23 commented 1 year ago

Hello,

First of all, thank you for your good work.

I am working on a project to integrate the Spanish public identity provider Cl@ve (using SAML 2.0 - eIDAS) with our private services.

To familiarise myself with the environment, I am following the steps mentioned in the howto guide.

I find that I don't see the "eIDAS Specific Settings" that you refer to.

I have tried the following versions:

Keycloak (windows bare-metal) 19.0.3 with the 0.5 release you provide.
Keycloak (windows bare-metal) 20.0.1 with a release compiled by myself from the 20.0.1 branch you have in the repo.

In both cases I have the same problem, so I'm not even able to complete the basic configuration steps.

Regards.

d-michail commented 1 year ago

Hi,

indeed starting from version 19 the config options are not rendered. This is due to a change (probably bug) in keycloak where the partial ftl templates are not found in the classpath. We will open up an issue in keycloak in the next few days. Sorry for that, but the last few versions of keycloak are not really backward compatible.

t0pito23 commented 1 year ago

Thank you very much for your quick response. Until then I will try lower versions of Keycloak.

Regards.

t0pito23 commented 1 year ago

Hello Michail,

I finally managed to configure your extension with Keycloak 17.0.1.

Now I have the following problem: When I try to login through eIDAS, keycloak redirects me to the Spanish public identity provider. It shows me an error because it requires the HTTP header "Referer" in the request, but for some unknown reason Keycloak is always setting the Policy-referrer to "no-referrer", and therefore it doesn't add this header.

This may not be directly related to the extension, but I'm just mentioning it in case you've run into this problem, or something similar.

Best regards.

d-michail commented 1 year ago

It should also work fine with keycloak 18.

For the no-referrer issue, I have not seen it before, and it seems related to keycloak and not necessarily the extension.

Perhaps these are of value:

BelonaIJG commented 1 year ago

Hi, i dont know if you finally resolved the Referer header @t0pito23 . But if you do and you continued the integration with cl@ve, could you tell me if you managed to solve it. I'm working in the same integration.

Thanks

BelonaIJG commented 1 year ago

Hi, for the future people... It can be done. It needs a few adjust but it can be done.

Here some advices:

Add the certificate (as d-michail explained)
Add the referer (configurable in Keycloak)
Add the ProviderName (required in Cl@ve)
Create your own Authenticator flow for the First Login, it will be basic if you have to check the users in your own BD or system.
Use the ClientNotes in the sesion to pass data and use it later.
Be patient, is not an easy task.

Good luck.

cesarcoruna commented 1 month ago

I have tried this extension with KC 23.074 and 24.0.5 and i can't view the SAML Extensions Config options

cesarcoruna commented 1 month ago

Hi, for the future people... It can be done. It needs a few adjust but it can be done.

Here some advices:

Add the certificate (as d-michail explained)

Add the referer (configurable in Keycloak)

Add the ProviderName (required in Cl@ve)

Create your own Authenticator flow for the First Login, it will be basic if you have to check the users in your own BD or system.

Use the ClientNotes in the sesion to pass data and use it later.

Be patient, is not an easy task.

Good luck.

I'm trying to use this extenision to integrate Cl@ve in Keycloak. Have you got it?

BelonaIJG commented 1 month ago

Hi, for the future people... It can be done. It needs a few adjust but it can be done. Here some advices:

Add the certificate (as d-michail explained)

Add the referer (configurable in Keycloak)

Add the ProviderName (required in Cl@ve)

Create your own Authenticator flow for the First Login, it will be basic if you have to check the users in your own BD or system.

Use the ClientNotes in the sesion to pass data and use it later.

Be patient, is not an easy task.

Good luck.

I'm trying to use this extenision to integrate Cl@ve in Keycloak. Have you got it?

Morning, yes, over a year ago worked and it continues working today. A really hard job to make it work, lot of debugging, line by line. Must say i used an old KC version, 15.0.0.

cesarcoruna commented 1 month ago

Hi, for the future people... It can be done. It needs a few adjust but it can be done. Here some advices:

Add the certificate (as d-michail explained)

Add the referer (configurable in Keycloak)

Add the ProviderName (required in Cl@ve)

Create your own Authenticator flow for the First Login, it will be basic if you have to check the users in your own BD or system.

Use the ClientNotes in the sesion to pass data and use it later.

Be patient, is not an easy task.

Good luck.

I'm trying to use this extenision to integrate Cl@ve in Keycloak. Have you got it?

Morning, yes, over a year ago worked and it continues working today. A really hard job to make it work, lot of debugging, line by line. Must say i used an old KC version, 15.0.0.

i'd be very grateful if you can explain more how to configure this extension to support Cl@ve. I've searched information about that but I didn't get to find any useful.