Project

General

Profile

Bug #26449

[keycloak] Unable to generate the initial configuration for SAML authentication if keycloak user needs OTP

Added by Nikhil Kathole about 1 year ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Unable to generate the initial configuration for SAML authentication as per https://www.theforeman.org/2018/06/using-saml-for-single-sign-on-to-foreman-through-keycloak.html if keycloak user needs OTP.

Steps:

1. Create user in keycloak.
2. Configure mobile Authenticators for OTP
3. KEYCLOAK_URL=https://sso.example.com
KEYCLOAK_REALM=Example
KEYCLOAK_USER=admin

keycloak-httpd-client-install \
--app-name foreman \
--keycloak-server-url $KEYCLOAK_URL \
--keycloak-admin-username $KEYCLOAK_USER \
--keycloak-realm $KEYCLOAK_REALM \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
--client-originate-method descriptor \
--mellon-endpoint saml2 \
-l /saml2 \
-l /users/extlogin \
--tls-verify false

Error :

[Step 1] Connect to Keycloak Server
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
InvalidGrantError: (invalid_grant) Invalid user credentials


Related issues

Related to Foreman - Tracker #28345: SSO using OpenID ConnectNew

History

#1 Updated by Rahul Bajaj 4 months ago

#2 Updated by Rahul Bajaj 3 months ago

  • Status changed from New to Closed

We are supporting only OpenID Connect for implementing SSO as of now, therefore SAML configurations will not be in the picture :) Closing this issue as NOT A BUG. Feel free to open the issue if you feel otherwise.

Also available in: Atom PDF