Hi,
I am having trouble getting both LDAPS for user federation and external Identity Providers working. I am running the following:
KeyCloak - Running in Docker using jboss/keycloak image
Directory - Windows Server 2019 Active Directory (LDAPS enabled with internal CA signed cert)
Identity Providers - Google & Microsoft
I had both Identity Providers working and Flows configured as desired (First, Keycloak attempts to matching federated user by ‘mail’ attribute; if not found, then the user is presented with a login form to bind the identity)
I initially started using simple LDAP for User Federation but needed to be able to reset credentials via Keycloak, so I needed LDAPS. After a lot of headache, I finally got that working. I found several methods using ENV to point to the truststore but I could not get that working. Ultimately, I got LDAPS working the following way:
- Copy current standalone-ha.xml from container to host under ./data/standalone-ha.xml
- Add the following to standalone-ha.xml
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="/opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks"/>
<property name="password" value="somepassword"/>
<property name="hostname-verification-policy" value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
- Mount the following volumes in docker-compose.yml
volumes:
- ./data/certs:/opt/jboss/keycloak/standalone/configuration/keystores
- ./data/standalone-ha.xml:/opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
- Restart the container
- Copy both the AD Server and CA certs (base64 format) into ./data/certs
- Inside the container, import both certs into the truststore.jks using the following:
keytool -import -alias domain.com -file ca.domain.cer -keystore truststore.jks
keytool -import -alias ds.domain.com -file ds.domain.cer -keystore truststore.jks
- Restart the container
After completing those steps, LDAPS is not working and users can manage credentials via Keycloak, however now Identity Providers are broken. When I try to login using Google as the Identity provider, I am properly redirected to the Google login screen, but once I successfully authenticate with Google, I am taken back to Keycloak with an error saying “Unexpected error when authenticating with identity provider”
In the logs, I see a similar error to what I was previously seeing when LDAPS was not working:
ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-3) Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
If I remove the mount for standalone-ha.xml (thus removing the keystore spi entries), identity providers work again, but fails at LDAPS with a similar complaint about the certificate.
My assumption is that without providing a truststore, keycloak is trusting certs signed by well-known CAs (as provided by the Google and Microsoft identity providers) but once I provide the truststore (in order to trust my internal PKI certs as provided by LDAPS) that serves as the ONLY certificates keycloak trusts. I must be doing something wrong here but cannot figure out what.
EDIT: As an additional note; I do hot have HTTPS enabled on keycloak. I am using Traefik to reverse proxy and handle HTTPS and TLS certs