This project forked from keycloak/keycloak
Open Source Identity and Access Management For Modern Applications and Services
Home Page: https://www.keycloak.org
License: Apache License 2.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
KC should be able to uniquely idenify users that authenticate via IdPs that release one or more of the following users identifiers:
SAML Client import - add md:RequestedAttribute as "User Attribute" ProtocolMapper
Jira issue : https://issues.redhat.com/browse/KEYCLOAK-16048
PR : keycloak#7537
That's the repo.
https://github.com/eosc-kc/fedservice
However, the python code was found to be useless in our case, because it's not aligned with the latest version of the oidc federation spec.
We coded - following a similar approach - the needed RP and Intermediate parties, which can be found here:
https://github.com/eosc-kc/oidc-federation-entities
Support filtering of entities imported from SAML aggregates by whitelisting/blacklisting entityIds. The realm admin should be able to supply whitelists/blacklists through the SAML aggregate configuration UI.
Realm administrator should be able to update the current Acceptable Use Policy (AUP or Terms & Conditions).
We need to test SAML federation approach 1 in HA mode. It may be required to extend caching mechanism to properly support HA.
Last resort: Disable cache for entities only?
Test VMs:
The keycloak instance implementing the 1st federation approach can be found here:
https://eosc-kc.aai-dev.grnet.gr
It has two realms, the "master" and the "EOSC".
We should now register it in eduGAIN federation.
Extend SAML aggregate periodic update task to refresh configuration of existing IdPs
Finalise PY1 version of SAML Federation Design document:
https://docs.google.com/document/d/14iM1GMArbxKqageLzViCn6N2qYRebrOveaRk5cTLT0Q/edit
Realm admins should be able to disable automatic updates for specific entities.
Two approaches:
This approach will not require extending the existing SAMLIdentityProvider implementation
When configuring a SAML metadata aggregate it should be possible to specify filters for including and/or excluding entities based on:
=== 1 Entity category filtering
Example for including REFEDS R&S, GEANT DPCoCo and Sirtfi
Attribute Name="http://macedir.org/entity-category-support"
Attribute value=[
"http://refeds.org/category/research-and-scholarship",
"http://www.geant.net/uri/dataprotection-code-of-conduct/v1"
]
Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification"
Attribute value=[
"https://refeds.org/sirtfi"
]
=== 2 Entity type
=== 3 Entity type
To filter entities based on their identity federation it should be possible to specify include/exclude lists for matching the registrationAuthority. E.g.
<mdrpi:RegistrationInfo values: [
Realm administrator should be able to configure the periodic renewal of the current Acceptable Use Policy (AUP or Terms & Conditions). Effectively, users will be required to renew their acceptance of the AUP following the configured period (e.g. every 12 months). Users who don't renew their acceptance should be put in grace period after which they should be removed from the user database (or set their status to expired)
Import federation url and Idps type, parse xml from url and return a IdPs list.
In a previous telco, i performed a short demonstration of our OP-enabled keycloak, along with a simple RP and a set of dummy intermediates, just to showcase how a oidc client can be registered to keycloak using the "explicit registration" described in the oidc federation specification. The relying party and the federation intermediates were setup with the use of https://github.com/eosc-kc/oidc-federation-entities
In linked Account ui a same filter as login page must be created
theme/keycloak.v2/account/src/app/content/linked-accounts-page/LinkedAccountsPage.tsx file
Need to add new rest endpoints, interfaces and abstract classes to allow importing a federation into a realm.
Need to extend the keycloak's current db model to hold saml federation properties.
Create the federation entity, with a one-to-many relationship with IdentityProviderEntity and a many-to-one relationship with the RealmEntity
create entitiy, relationships
create a changeset for the database changes
Proposed fields :
String url
String alias
String providerId ( saml-federation or oidc-federation )
Integer updateEveryHours
Integer totalIdps
Integer addedIdps
Long created
Long lastUpdated
RealmEntity realm
Set skipEntities
Set erroneousEntities ( entities that failed to add in database)
Test VM: cappakleis2.aai-dev.grnet.gr
When Keycloak start application check for existing federations. For each federation a task is created for update related idps.
The issue is defined here:
https://issues.redhat.com/browse/KEYCLOAK-15432
and here:
https://groups.google.com/g/keycloak-dev/c/CSIrOwLINQw
Jira issue : https://issues.redhat.com/browse/KEYCLOAK-15472
Related to keycloak-dev conversation : https://groups.google.com/g/keycloak-dev/c/IoGF_H1JLiU
PR : keycloak#7618
Keycloak must support expired OIDC Client
PR : keycloak#7111
KEYCLOAK-14304 jira issue
Send a federation url,the IdPs type, an alias name for the federation , a "refresh every X hours" parameter and an idp skip-list (entityID list). This will result into having the federation along with its IdPs saved into the database.
Documentation https://github.com/keycloak/keycloak-community/blob/master/design/keycloak.x/configuration.md
Keycloak x blog: https://www.keycloak.org/2020/12/first-keycloak-x-release.adoc
Althoug Keycloak.X is the future, current version is a preview distribution.
Jira issue : https://issues.redhat.com/browse/KEYCLOAK-16014
PR : keycloak#7521
Keycloak dev discussion : https://groups.google.com/g/keycloak-dev/c/96lInALd_lQ
Specify one or more SAML IdPs with dedicated login button.
Based on discussion in https://issues.redhat.com/browse/KEYCLOAK-5657.
PR: keycloak#7806
Keycloak does not allow controlling theAllowCreate (see Section 3.4.1.1 in https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) in AuthN requests. The IdentityProvider configuration needs to be extended to allow overriding the current behaviour which is not consistent with the SAML core spec where AllowCreate defaults to false.
Attribute providers include external API servers and databases.
Investigate if these attribute providers can be implemented as User Storage Providers (KC currently supports LDAP and Active Directory)
Once "WIP" is removed from the PR title, all developers (apart from the commiter) should be assigned as PR reviewers
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
