I'm currently working on a project for keycloak utilizing sigular-keycloak-database-federation. I'll explain the setup.
I have user federation setup in a single realm - I'll call it users-apps. Inside this realm is User federation setup to our postgres database. I also have a saml IdP setup to site https://samltest.id for testing. Of the testing users, 1 user exists in our user federation. And here is the problem with that setup... on checking in user federation, the user is found, however it does not let the user in, why? Error is username or password error. Two problems there - one I don't have valid hash or bcrypt in database, there are values in our database, but on doing queries, or taking the users password from idp and crypt as bcrypt to see if there is a match, there is no match.
So the first question I have with this is, can singular-keycloak-database-federation be configured to skip checking password crypt in keycloak? I would like to avoid this error happening... is it possible. Is this related to first login flow or authentication flow in general? Is there a flow that could be established to say check user existing but not confirm the valid password set when login at IdP?
This user above "DOES" exist in our database - however on keycloak check of password - it fails.
Another point with setup - in federation - I have explicit blanked out the section of hash_pwd return from database - there is no value there. However looking directly at the user in keycloak and seeing the credentials:
Supported User Storage Credential Types
Type | Provided By
password | kdm-postgres-dev
Supported User Storage Credential Types
Type Provided By
password kdm-postgres-dev
Which it isn't because its blank.
Any help on this would be greatly appreciated. I would like to figure out how I can get the IdP user through to client application without checking the stored password? if possible.
Hello,
I'm currently working on a project for keycloak utilizing sigular-keycloak-database-federation. I'll explain the setup.
I have user federation setup in a single realm - I'll call it users-apps. Inside this realm is User federation setup to our postgres database. I also have a saml IdP setup to site https://samltest.id for testing. Of the testing users, 1 user exists in our user federation. And here is the problem with that setup... on checking in user federation, the user is found, however it does not let the user in, why? Error is username or password error. Two problems there - one I don't have valid hash or bcrypt in database, there are values in our database, but on doing queries, or taking the users password from idp and crypt as bcrypt to see if there is a match, there is no match.
So the first question I have with this is, can singular-keycloak-database-federation be configured to skip checking password crypt in keycloak? I would like to avoid this error happening... is it possible. Is this related to first login flow or authentication flow in general? Is there a flow that could be established to say check user existing but not confirm the valid password set when login at IdP?
2022-11-06T18:12:43.747638906Z 2022-11-06 18:12:43,747 WARN [org.keycloak.events] (executor-thread-4207) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=unified-realm, clientId=e62216a7-5af9-4a25-8326-43e78e207703, userId=null, ipAddress=172.21.0.1, error=invalid_user_credentials, identity_provider=samltest.id, auth_method=openid-connect, redirect_uri=http://openid-connect-client3.mykdm.dev.local:3001/cb, identity_provider_identity=rick, code_id=eca55026-39d1-4c24-b8f5-38fcdc28dc26, authSessionParentId=eca55026-39d1-4c24-b8f5-38fcdc28dc26, authSessionTabId=ajUbfcsbtJQThe user above doesn't exist in our database - therefore invalid username/password is correct error.
2022-11-06T18:11:22.372738086Z 2022-11-06 18:11:22,372 WARN [org.keycloak.events] (executor-thread-4190) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=unified-realm, clientId=63ce37f4-6473-4c88-8d7f-29430675bb56, userId=null, ipAddress=172.21.0.1, error=invalid_user_credentials, identity_provider=samltest.id, auth_method=openid-connect, redirect_uri=http://openid-connect-client3.mykdm.dev.local:3001/cb, identity_provider_identity=morty, code_id=a6e4e304-2c27-4e08-94d2-dd3896f5f44d, authSessionParentId=a6e4e304-2c27-4e08-94d2-dd3896f5f44d, authSessionTabId=y7vTsN0CkY8This user above "DOES" exist in our database - however on keycloak check of password - it fails.
Another point with setup - in federation - I have explicit blanked out the section of hash_pwd return from database - there is no value there. However looking directly at the user in keycloak and seeing the credentials:
Supported User Storage Credential Types Type | Provided By
password | kdm-postgres-dev
Supported User Storage Credential Types Type Provided By password kdm-postgres-dev
Which it isn't because its blank.
Any help on this would be greatly appreciated. I would like to figure out how I can get the IdP user through to client application without checking the stored password? if possible.
Thanks Ryan