RHSSO Posts

Reading Original IP on Keycloak when Installed Behind a Reverse Proxy

Keycloak, or Red Hat Single SignOn, have the capability of capturing ip of every request which are connected to it. But there are scenarios where Keycloak is located behind a reverse proxy, and Keycloak would capture reverse proxy’s ip instead of original requestor IP.

The workaround is actually quite simple although can be at different xml files depends on your server , can add below configuration on default-server tag.

<server name="default-server">
	<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"
		proxy-address-forwarding="true" />
	<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"
		proxy-address-forwarding="true" />
	<host name="default-host" alias="localhost">
		<location name="/" handler="welcome-content"/>
		<http-invoker security-realm="ApplicationRealm"/>
	</host>
</server>
Google+

Fixing Error “null username” when Integrating RedHat Single Sign On to Active Directory

Previously never had any issue when integrating RedHat SSO (Keycloak) to LDAP, but now got a very weird issue because now im trying to connecting RHSSO to Microsoft Active Directory instead of standard LDAP.

One biggest difference is that ActiveDirectory is using “sAMAccountName” field for user primarykey mapping, and somehow RHSSO is always get null value when trying to synchronize with existing user. Below is the complete stacktrace.

11:59:45,031 ERROR [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default task-122) Failed during import user from LDAP: 
org.keycloak.models.ModelException: User returned from LDAP has null username! 
Check configuration of your LDAP mappings. Mapped username LDAP attribute: sAMAccountName, 
user DN: CN=XXX,OU=User,OU=HO,DC=llll,DC=co,DC=id, attributes from LDAP: 
{whenChanged=[20191016020643.0Z], whenCreated=[20170105023800.0Z], mail=[xxx@lll.co.id], givenName=[cccc], sn=[dddd], cn=[ccccc dddd], userAccountControl=[512], pwdLastSet=[132156652033202194]}
	at org.keycloak.storage.ldap.LDAPUtils.getUsername(LDAPUtils.java:113)
	at org.keycloak.storage.ldap.LDAPStorageProviderFactory$3.run(LDAPStorageProviderFactory.java:542)
	at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
	at org.keycloak.storage.ldap.LDAPStorageProviderFactory.importLdapUsers(LDAPStorageProviderFactory.java:535)
	at org.keycloak.storage.ldap.LDAPStorageProviderFactory.syncImpl(LDAPStorageProviderFactory.java:490)
	at org.keycloak.storage.ldap.LDAPStorageProviderFactory.sync(LDAPStorageProviderFactory.java:428)
	at org.keycloak.services.managers.UserStorageSyncManager$2$1.call(UserStorageSyncManager.java:107)
	at org.keycloak.services.managers.UserStorageSyncManager$2$1.call(UserStorageSyncManager.java:102)
	at org.keycloak.cluster.infinispan.InfinispanClusterProvider.executeIfNotExecuted(InfinispanClusterProvider.java:78)
	at org.keycloak.services.managers.UserStorageSyncManager$2.run(UserStorageSyncManager.java:102)
	at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
	at org.keycloak.services.managers.UserStorageSyncManager.syncAllUsers(UserStorageSyncManager.java:92)
	at org.keycloak.services.resources.admin.UserStorageProviderResource.syncUsers(UserStorageProviderResource.java:142)
	at sun.reflect.GeneratedMethodAccessor891.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)

It turns out that i have to mapping “sAMAccountName” field to username. Can find the complete screenshot below,

Cheers (^)

Google+