Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-27065

[QA](8.0.z) s2i Keycloak SAML integration - RequiredActions configuration prevents automatic registration of clients

XMLWordPrintable

    • False
    • None
    • False
    • Documentation (Ref Guide, User Guide, etc.), Migration, Compatibility/Configuration, User Experience
    • Regression
    • ?
    • Workaround Exists
    • Hide

      Set all the required actions to "false" when creating the realm.

      Show
      Set all the required actions to "false" when creating the realm.
    • Hide

      1. Deploy a Keycloak instance
      2. create one SAML realm
      3. deploy a WildFly/EAP application service that connects to the Keycloak instance and sets the env variables for creating the client automatically, e.g. SSO_USERNAME and SSO_PASSWORD
      4. the WARN message about the failed client creation appears in the WildFly/EAP application pod logs.

      Show
      1. Deploy a Keycloak instance 2. create one SAML realm 3. deploy a WildFly/EAP application service that connects to the Keycloak instance and sets the env variables for creating the client automatically, e.g. SSO_USERNAME and SSO_PASSWORD 4. the WARN message about the failed client creation appears in the WildFly/EAP application pod logs.

      WildFly/EAP s2i process has a feature which is related to securing resources via Keycloak/RHBK SSO SAML integration. When some environment variables are set, the WildFly/EAP instance will create a SAML client automatically on Keycloak when connecting the Keycloak resource for the first time.

      We have a test that started failing soon after migrating from RHSSO to RHBK. The test fails because the automatic registration of client doesn't happen, and this is eventually due to the fact that the realm defines a set of required actions - e.g.: verify email, or profile information - on first access. Such actions must be conigured to be optional for the test to work again.

      If this is confirmed, then it should be evaluated what can be done on the WildFly/EAP side. Probably the s2i scripts can't do much on an already created realm, so this should be at least documented. Or maybe the s2i scripts can use the admin REST APIs to perform the additional configuration (i.e. set all the required actions to false), although this seems a bit out of concern.

      BTW this is related to RHBK-1407

            jdenise@redhat.com Jean Francois Denise
            fburzigo Fabio Burzigotti
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: