Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13817

X509 authentication fails when attribute value is always read from LDAP and import is enabled

    Details

    • Steps to Reproduce:
      Hide
      1. Create a new realm
      2. Create a new Authentication flow with only one authenticator/execution: X509/Validate Username Form (set as required)
      3. Configure the authenticator
        1. set "User Identity Source" to "Full Certificate in PEM format"
        2. set "A name of user attribute" to "usercertificate"
        3. save configuration
      4. Set the authentication flow binding for "Browser flow" to the newly created flow
      5. Add a new client to the realm
      6. Add a LDAP user federation provider
        1. configure provider
        2. enable import
        3. add a mapper
          1. Mapper Type: user-attribute-ldap-mapper or certificate-ldap-mapper
          2. set "User Model Attribute" to "usercertificate"
          3. set "LDAP attribute" to some existing attribute in LDAP
          4. Enable "Readonly"
          5. Enable "Always Read Value From LDAP "
          6. Save
        4. Synchronize all users
      7. Try to login to newly created client
        1. fails with log from description above.
      Show
      Create a new realm Create a new Authentication flow with only one authenticator/execution: X509/Validate Username Form (set as required) Configure the authenticator set "User Identity Source" to "Full Certificate in PEM format" set "A name of user attribute" to "usercertificate" save configuration Set the authentication flow binding for "Browser flow" to the newly created flow Add a new client to the realm Add a LDAP user federation provider configure provider enable import add a mapper Mapper Type: user-attribute-ldap-mapper or certificate-ldap-mapper set "User Model Attribute" to "usercertificate" set "LDAP attribute" to some existing attribute in LDAP Enable "Readonly" Enable "Always Read Value From LDAP " Save Synchronize all users Try to login to newly created client fails with log from description above.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      When using X509 authentication in combination with LDAP user federation and enabled user import, users can only logged in (once) and only if they have not been imported, yet.
      After a user has been imported (e.g. after first login) users are unable to login, cause the user cannot be found:

      2020-04-07T07:44:39.514Z,"intern","type=LOGIN_ERROR, realmId=Test, clientId=test, userId=null, ipAddress=10.10.10.10, error=user_not_found, x509_cert_subject_distinguished_name='C=DE,O=Example,OU=People,CN=Test User', auth_method=saml, x509_cert_issuer_distinguished_name='C=DE,ST=NRW,L=Dortmund,O=Example,OU=Example PKI,CN=Example User CA', redirect_uri=https://sso-demo/saml/, code_id=afaf4912-b499-4cc3-a57d-06b6471cf2d7, x509_cert_serial_number=<clipped>, username=<clipped>, authSessionParentId=afaf4912-b499-4cc3-a57d-06b6471cf2d7, authSessionTabId=SY6cOdyu6JY"

      This problem is only observable if the userattribute configured in the X509 authenticator is mapped to an LDAP attribute via an user-attribute-ldap-mapper and that mapper has the flag "always read value from LDAP" enabled.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                sventorben Sven-Torben Janus
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: