Keycloak and REDCap :(

[Matteo Riva]

Hello everyone,

I am trying to find a way to create a SSO (Single Sing On) in REDCap (version 12.4.1), a browser-based software for designing clinical and translational research databases, using Keycloak.

Unfortunately, when I login using the credentials and the user in Keycloak, it generates a new user in REDCap! And it does not login as the already existing one.

Seeing this problem, I tried to follow this video:

https://www.youtube.com/watch?v=-BAttwBxtVw

Finally, when I click the button of Keycloak in the REDCap login page, it gives me this error:

ERROR: REDCap could not determine your username for unknown reasons. There appears to be some kind of technical problem.

I tried to change the parameter "Attribute to use for REDCap username" (definition:  "This OIDC attribute will serve as the authenticated user's REDCap username after logging in. If the selected attribute does not have a value for the user, it will revert to using the user's associated email address to serve as their username.") in REDCap with everyone proposed by REDCap itself (sub, email, nickname and username), but nothing changed at all. Then I guess it is a Keycloak issue. I searched in Google for "Keycloak User Attribute" and what I found is a JSON file (Java Adapter Config) which has inside a parameter called "principal-attribute" (definition:  "OpenID Connection ID Token attribute to populate the UserPrincipal name with. If token attribute is null, defaults to sub. Possible values are sub, preferred_username, email, name, nickname, given_name, family_name."). 

Could be this file the solution to my problem? Can someone explain in detail how I can use this file and how I can modify it, please? 

It has been two days of work and still I have not solved the problem. Please, please, someone had the same issue? Did you menage to make a SSO between REDCap and Keycloak? In attachment you can find the REDCap interface for the OpenID Connect.

Any tip would be super appreciated. 

Thank you so much in advance.

Matteo

[Matteo Riva]

No one had the same issue (Keycloak creates a new user instead of login as the already existing one)? Also with a different software! It may be helpful to know how you changed several parameters in order to allow Keycloak to recognise an user in that software or viceversa.

Thank you again.

Matteo

[Giovanni Albero]

Hi Matteo, I don’t know your specific use-case but are you sure that your login flow inside REDCap performs a check before to create a new user.

For example when keycloak acts like REDCap in your case I can define a login flow with a set of checks or actions to perform for any login performed via the login provider for example.

I hope that you can find some hint in my message

See you

Giovanni

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/2b102426-4078-4883-a538-900dbf9fb16cn%40googlegroups.com.

--

--

Giovanni Albero

Co-Founder & CEO - SMarT

giov...@smartstrategy.eu | +39 366 1860916

www.smartstrategy.eu | 0522 1404292

strada San Rocco 17, 42027 Montecchio Emilia (RE)

Le informazioni, i dati e le notizie contenute nella presente comunicazione e i relativi allegati sono di natura privata e come tali possono essere riservate e sono, comunque, destinate esclusivamente ai destinatari indicati in epigrafe. La diffusione, distribuzione e/o la copiatura del documento trasmesso da parte di qualsiasi soggetto diverso dal destinatario è proibita, sia ai sensi dell’art. 616 c.p., sia ai sensi del D.Lgs. n. 196/2003. Se avete ricevuto questo messaggio per errore, vi preghiamo di distruggerlo e di darcene immediata comunicazione a pri...@smartstrategy.eu. 

--

This e-mail (including attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient, please contact (pri...@smartstrategy.eu) and delete the e-mail from your system. Rif. D.L. 196/2003. 

[Matteo Riva]

Hello Giovanni,

Thank you so much for your reply.

I will try to explain the workflow I do in summary:

KEYCLOAK SIDE

1) Add a new realm (Enabled: ON)

2) Create a new Client (Client Protocol = openid-connect; Access Type = confidential)

3) Assign a Valid Redirect URIs --> in this case what I do is to cut and paste the REDIRECT_URL that REDCap gives to me (you can see it in the picture in my first message)

4) Add a new user (the username, email, First Name and Last Name are EXACTLY THE SAME of the REDCap user) --> User Enabled ON and Email Verified OFF

5) User --> Credentials --> Set Password --> Temporary OFF

REDCap SIDE

1) Cut and paste the Client ID of Keycloak in Client ID parameter present in REDCap

2) Cut and paste the Client Secret of the Client in Keycloak

3) Cut and paste the Provider Base URL http://localhost:8080/auth/realms/name-of-the-realm

4) Set as Attribute to use for REDCap username as "username (default)" (I have already tried all the other options such as email, nickname and sub, but nothing changed at all) --> I paste here the definition of this parameter "This OIDC attribute will serve as the authenticated user's REDCap username after logging in. If the selected attribute does not have a value for the user, it will revert to using the user's associated email address to serve as their username."

That's it. When I try to use Keycloak, REDCap goes to the login screen of Keycloak (good!), but when I digit the username and the password, I do NOT enter as the already existing user in REDCap, but with a new one with the same username, email, etc etc (bad...).

The steps I wrote are ALL I do. Nothing more. Is there something I am missing? I must define something else? I must change a parameter in a file from the terminal in my VMs? If yes, please be as more precise as you can.

Thank you again.

Matteo

[dc...@prosentient.com.au]

Sounds like a bug in REDCap.

 

David Cook

Senior Software Engineer

Prosentient Systems

Suite 7.03

6a Glen St

Milsons Point NSW 2061

Australia

 

Office: 02 9212 0899

Online: 02 8005 0595

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/34c0bd50-7594-4496-976c-b276365b3e30n%40googlegroups.com.

[Giovanni Albero]

Where are saved the users by REDCap? if it is a database, is there some unique constraint for the username attribute?

Do you have the possibility to check the place where the users are saved to check if there are differences (like the charset)

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/193301d8c7c7%24ec93d400%24c5bb7c00%24%40prosentient.com.au.

[Matteo Riva]

Hello Giovanni and David,

David, who knows it could be a bug from REDCap. But could it be a bug from Keycloak? How can I understand which is which? How can I fix it?

Giovanni, yes I suspect Keycloak and REDCap are not "talking" in a correct way. I mean, the username or email (for example) could be identified in a different variable in Keycloak and in REDCap. 

Since I do not know an exact answer to your questions, I tried to find a solution on Google, but nothing was helpful. 

What is the next step then? Well, I thought to inspect (CTRL+ SHIFT + I) the Google page both in REDCap and in Keycloak in order to find a file or anything that could tell me where my username, email, etc are stored. Here it is what I found:

KEYCLOAK SIDE

REDCap SIDE

Finally, here it is a file name: "view_users.php". I logged in my REDCap VM and I opened that file. What I found interesting are these lines:

<select id="user_list_search_attr" class="x-form-text x-form-field" style="margin-right:5px;">
                                <option value="" <?php if ($_GET['search_attr'] == "") print "selected"; ?>><?php echo $lang['control_center_4496'] ?></option>
                                <option value="username" <?php if ($_GET['search_attr'] == "username") print "selected"; ?>><?php echo $lang['global_11'] ?></option>
                                <option value="user_firstname" <?php if ($_GET['search_attr'] == "user_firstname") print "selected"; ?>><?php echo $lang['global_41'] ?></option>
                                <option value="user_lastname" <?php if ($_GET['search_attr'] == "user_lastname") print "selected"; ?>><?php echo $lang['global_42'] ?></option>
                                <option value="user_email" <?php if ($_GET['search_attr'] == "user_email") print "selected"; ?>><?php echo $lang['control_center_56'] ?></option>
                                <option value="user_sponsor" <?php if ($_GET['search_attr'] == "user_sponsor") print "selected"; ?>><?php echo $lang['user_72'] ?></option>
                                <option value="user_inst_id" <?php if ($_GET['search_attr'] == "user_inst_id") print "selected"; ?>><?php echo $lang['control_center_236'] ?></option>
                                <option value="user_comments" <?php if ($_GET['search_attr'] == "user_comments") print "selected"; ?>><?php echo $lang['dataqueries_146'] ?></option>
                        </select>

I do not know...it seems there is no reason for a conflict...

Then what am I missing? Why Keycloak creates a new user instead of login as the already existing one in REDCap?

Any idea? Please :(

Thank you again both of you for your reply.

Matteo

[Giovanni Albero]

Do you have the possibility to create a test project in github to check your specific use-case? 

If you use docker containers it should be easy to test it locally. 

--

Giovanni Albero

Co-Founder & CEO - SMarT

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/f922be8b-3e37-46cf-8354-e5fcdcf513afn%40googlegroups.com.

[Matteo Riva]

Unfortunately, no I do not have the possibility to create a project in github :( I think I should ask for special permissions to my boss to do that and to check if there could be the lost of confidential data. I am afraid it would be a super waste of time to obtain them.

[C R]

Le mer. 14 sept. 2022 à 11:37, Matteo Riva <mat.ri...@gmail.com> a écrit :

I do not know...it seems there is no reason for a conflict...

Then what am I missing? Why Keycloak creates a new user instead of login as the already existing one in REDCap?

Any idea? Please :(

I don't know nothing of your Keycloak and REDCap setup, so take this with a grain of salt.

As I understand it, Keycloak with a user backend like LDAP does not create a user (besides the federated identities in the case of brokering). When you login it send you a token with a preferred_username and other scope values. Then the application, REDCap here, does something with that information like creating a session of provision a local user. So in this case, the problem looks to me to be at the application side like a mismatch between between the scopes or attributes to create a local user.

The only problem I could see at Keycloak's side is you not persisting the subject (sub: https://openid.net/specs/openid-connect-core-1_0.html#IDToken) so logins are seen as from different users.

C.

[Matteo Riva]

Hello C.,

Thank you for your reply.

Okay, this could be a track! But can you be a bit more detailed, please? Where can I see how the IDToken is setted? Can I change their setting (instead of preferred_username use username)? If yes, how can I change them? What is the name of the IDToken in Keycloak? In this way I can check them in my VM.

Thank you again.

Matteo

[C R]

HI Matteo,

You can evaluate the tokens (aka see what Keycloaj would send) on the
admin sit => Clients => $your_client => scopes.

C.

> --
> You received this message because you are subscribed to the Google Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/7522f55d-b565-4e67-901b-ee9f80df4eb6n%40googlegroups.com.

[Matteo Riva]

Wonderful!

Here it is what I see:

(Before "Full Scope Allowed" was setted as ON. Clicking on OFF, I can see something)

And can you explain what are these fields? What happens if I change them? How should I change the parameter preferred_username to username? 

I know, maybe I am asking too much...I hope it is not too complex!

Thank you so much.

Matteo

[C R]

You need to click on evaluate to check what's in the token en what's not. I don't think chaning the preferred_username will change something to your problem.

C.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/ab9a30d3-9d3d-4b04-988e-7d01254974c2n%40googlegroups.com.