I’m trying to get Keycloak user authentication to work with a Yubikey. Unfortunately, I’m a little out of my depth here and would be grateful for some advice.
I’m assuming that I need to use the x509 browser flow, so I’ve been following the instructions here:
https://www.keycloak.org/docs/6.0/server_admin/#_x509. I’ve also been following this blog post:
https://sjhiggs.github.io/fuse/sso/x509/smartcard/2017/03/29/fuse-hawtio-keycloak.html
When logging into Office365, my login page provides a button for selecting a certificate. When my Yubkey is plugged in, the cert is available from a selection popup, I can then select it, enter my pin, and then I’m authenticated and can access my email.
Is this the same as I can expect with Keycloak? In the blog post above, the author mentions this: “the end user is redirected to the Keycloak login page. The user is asked to select a certificate, and then the user/cert confirmation page is displayed.” Which sounds like the same thing.
When I setup the ‘X509/Validate Username Form’ execution to Alternative then nothing happens (it simply goes to the username and password page, and there isn’t anything in the logs), and when I set it to Required then I simply get an error message saying wrong username and password.
I’m testing this from a Docker container running locally (so using a self-signed cert).
Thanks in advance.
C