REDCap and Keycloak :(

536 views
Skip to first unread message

Matteo Riva

unread,
Sep 7, 2022, 11:16:45 AM9/7/22
to redcap open
Hello everyone,

I am trying to find a way to create a SSO (Single Sing On) in REDCap (version 12.4.1) using Keycloak.
Unfortunately, when I login using the credentials and the user in Keycloak, it generates a new user in REDCap! And it does not login as the already existing one.
Seeing this problem, I tried to follow this video:


Finally, when I click the button of Keycloak in the REDCap login page, it gives me this error:

ERROR: REDCap could not determine your username for unknown reasons. There appears to be some kind of technical problem.

It has been two days of work and I did not find ANYTHING that could help me. Please, please, someone had the same problem? Did you menage to make a SSO between REDCap and Keycloak?
Any tip would be super appreciated. 
Thank you so much in advance.

Matteo

Luke Stevens

unread,
Sep 8, 2022, 5:40:39 PM9/8/22
to Matteo Riva, redcap open

Hello Matteo,

 

Not sure how helpful this is – I know nothing about Keycloak – just thought I’d share my experience setting up 2FA with Okta. It was appearing to return the email address of the person logging in instead of the expected username. To find out what was going on I added some additional logging code at various points in the page execution (on a test server of course). From that I was able to see precisely what data came back to REDCap from Okta, and found that the username was being returned in an attribute named “preferred_username”, not “username””. Perhaps you might get some mileage following a similar strategy?

 

HTH

Luke

Luke Stevens
Research Data Systems Manager
Clinical Epidemiology & Biostatistics Unit (CEBU)
Murdoch Children's Research Institute
The Royal Children's Hospital, 50 Flemington Road
Parkville, Victoria 3052 Australia
T   +61 3 9345 6552
E   luke.s...@mcri.edu.au
W  mcri.edu.au

 

 

 

From: redca...@googlegroups.com <redca...@googlegroups.com> On Behalf Of Matteo Riva
Sent: Thursday, 8 September 2022 01:17
To: redcap open <redca...@googlegroups.com>
Subject: [EXTERNAL]REDCap and Keycloak :(

 

CAUTION:  External Email. Please be cautious with attachments and clicking links

 

--
You received this message because you are subscribed to the Google Groups "redcap open" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redcap_open...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redcap_open/74b985eb-085f-4867-b387-2ffdcec8e052n%40googlegroups.com.



This e-mail and any attachments to it (the "Communication") are, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Murdoch Children’s Research Institute (MCRI) ABN 21 006 566 972 or any of its related entities. MCRI does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.

Peter Macisaac

unread,
Sep 8, 2022, 7:23:36 PM9/8/22
to Luke Stevens, Matteo Riva, redcap open
Matteo. As Luke’s experience points out this is not a redcap problem but one in key cloak. Either change to use something else for sso or look into keycloak config or help desk  or google for your solution.  

Peter

Sent from my iPhone

On 9 Sep 2022, at 7:40 am, Luke Stevens <luke.s...@mcri.edu.au> wrote:



Matteo Riva

unread,
Sep 9, 2022, 5:01:18 AM9/9/22
to redcap open
Hello Luke and Peter,

Thank you so much both of you for your kind reply.
Luke, from your reply I could find a possible key word: attribute. I tried to change the parameter "Attribute to use for REDCap username" (definition:  "This OIDC attribute will serve as the authenticated user's REDCap username after logging in. If the selected attribute does not have a value for the user, it will revert to using the user's associated email address to serve as their username.") in REDCap with everyone proposed by REDCap itself (sub, email, nickname and username), but nothing changed at all. Then yes, I guess it is a Keycloak issue. I searched in Google for "Keycloak User Attribute" and what I found is a JSON file (Java Adapter Config) which has inside a parameter called "principal-attribute" (definition:  "OpenID Connection ID Token attribute to populate the UserPrincipal name with. If token attribute is null, defaults to sub. Possible values are sub, preferred_username, email, name, nickname, given_name, family_name."). 
Could be this the solution to my problem? Can you explain in detail how you changed the attribute from "preferred_username" to "username", please? I am confident that we are on the right path!

Thank you again!

Matteo

Matteo Riva

unread,
Sep 9, 2022, 9:42:22 AM9/9/22
to redcap open
Hello Luke and Peter,

Sorry, reading again my answer, I see that I should have been clearer in the phrase "how you changed the attribute". In particular, I mean where you found that parameter, what is the name of the file, etc.
I am sorry, I hope it is not a too demanding question.

Thank you again both of you.

Matteo

Peter Macisaac

unread,
Sep 9, 2022, 5:17:05 PM9/9/22
to Matteo Riva, redcap open
https://www.keycloak.org/server/configuration

Has the name of config file

Sent from my iPhone

On 9 Sep 2022, at 11:42 pm, Matteo Riva <mat.ri...@gmail.com> wrote:

Hello Luke and Peter,

Luke Stevens

unread,
Sep 9, 2022, 5:59:03 PM9/9/22
to Peter Macisaac, Matteo Riva, redcap open

Hello Matteo,

 

I looked up some more detail about what I did to discover the attribute names that Okta was returning to REDCap.

 

This is in Authentication.php in the function authenticateOpenIDConnect() where I added the logging line:

 

// Get user info, if successfully logged in

            if ($success) {

                REDCap::logEvent('OpenID Connect Auth - success', var_export($oidc, true));

                // Set username

 

And one of the properties contains an array named 'verifiedClaims' which contained the user info. I could see my username in an element with the key ‘preferred_username’.

 

REDCap gives us these options for where to get the username from:

 

You asked “Can you explain in detail how you changed the attribute from "preferred_username" to "username", please?” Well, I didn’t! I asked our IT dept if they could change how Okta sends the username (i.e. to use one of the dropdown’s elements) but they said no. I got the REDCap auth working by manually setting the config table value to what I needed: UPDATE `redcap`.`redcap_config` SET `value` = 'preferred_username' WHERE (`field_name` = 'openid_connect_username_attribute');

 

I would of course need to do that each time I save the Auth config page, because that will reset that value to username. More likely is I will write an external module that adds preferred_username as a dropdown option.

 

I hope that is helpful.

Luke

Matteo Riva

unread,
Sep 12, 2022, 6:57:25 AM9/12/22
to redcap open
Hello Luke,

Thank you again for your help.
Authentication.php file is present in REDCap VM. I searched for the key 'preferred_username' and actually there is! 
Then what I did is to search for the line "UPDATE...SET value...WHERE...." and I added what you suggested.
But...unfortunately, nothing has changed at all :( Again, when I try to login in REDCap with Keycloak it generates a new user instead of login as mine. I do not really know how to move now...

I really thank you again for your kindness.

Matteo

Luke Stevens

unread,
Sep 12, 2022, 3:51:53 PM9/12/22
to Matteo Riva, redcap open

Sorry I wasn’t quite clear Matteo. What I did was add the logging line to the code in my test instance so that I could inspect what Okta was returning to REDCap. I found that it was using “preferred_username” and not one of the names that REDCap has built in, so to get REDCap to look for my username as “preferred_username” I ran that update statement in my database to update the value in the redcap_config table.

 

I am not saying that the solution is likely to be the same for you, just that the process I followed may be helpful to you. Try adding that logging line and find out what you see. Go from there…

 

HTH

Luke

 

From: redca...@googlegroups.com <redca...@googlegroups.com> On Behalf Of Matteo Riva
Sent: Monday, 12 September 2022 20:57
To: redcap open <redca...@googlegroups.com>
Subject: Re: [EXTERNAL]Re: [EXTERNAL]REDCap and Keycloak :(

 

CAUTION:  External Email. Please be cautious with attachments and clicking links

 

Hello Luke,

 

Thank you again for your help.

Authentication.php file is present in REDCap VM. I searched for the key 'preferred_username' and actually there is! 

Then what I did is to search for the line "UPDATE...SET value...WHERE...." and I added what you suggested.

But...unfortunately, nothing has changed at all :( Again, when I try to login in REDCap with Keycloak it generates a new user instead of login as mine. I do not really know how to move now...

 

I really thank you again for your kindness.

 

Matteo

Il giorno venerdì 9 settembre 2022 alle 23:59:03 UTC+2 luke.stevens ha scritto:

Hello Matteo,

 

I looked up some more detail about what I did to discover the attribute names that Okta was returning to REDCap.

 

This is in Authentication.php in the function authenticateOpenIDConnect() where I added the logging line:

 

// Get user info, if successfully logged in

            if ($success) {

                REDCap::logEvent('OpenID Connect Auth - success', var_export($oidc, true));

                // Set username

 

And one of the properties contains an array named 'verifiedClaims' which contained the user info. I could see my username in an element with the key ‘preferred_username’.

 

REDCap gives us these options for where to get the username from:

Image removed by sender.

Matteo Riva

unread,
Sep 15, 2022, 4:20:18 AM9/15/22
to redcap open
Hello Luke,

Sorry for my absence and thank you for your reply.
I made more researches and finally I found what you said: Keycloak is giving an IDToken to REDCap with a "preferred_username" parameter, which is not recognised by REDCap.
Then what I ask you is to share your Authentication.php or, if you can't, at least tell me the precise place of the script where you wrote "UPDATE `redcap`.`redcap_config` SET `value` = 'preferred_username' WHERE (`field_name` = 'openid_connect_username_attribute');". I read and read again the Authentication.php file, but I can't understand where to insert this line.

I know, maybe I am asking too much, but please, this could be the solution of the problem!

Thank you again.

Matteo

Matteo Riva

unread,
Sep 15, 2022, 5:04:29 AM9/15/22
to redcap open
SOLVED!!! In summary, I had to enter in mysql and type the line you wrote!
I am sorry Luke, I misunderstood your phrases and I thought I had to modify the Authentication.php file. Instead it was simpler than I expected :)

Thank you so much Luke and Peter for your time, your kindness and help! Have a nice day and work!

Matteo

Reply all
Reply to author
Forward
0 new messages