Login from Keycloak to privacyIDEA with email

Hi all,
I’m struggling with some kind of problem, but I’m not sure which is the cause. So, I implemented the privacyIDEA as an extension for 2FA authentication for Keyclock. The user provider for both systems is a LDAP server hosted by Apache Active Directory.

The problem is the following: From LDAP resolvers, I set the email as username in privacyIDEA and Keycloak. I can login separately in both systems with the email and password, but I’m not able to validate the 2FA from privacyIDEA when I login from Keycloak.

I tested the following scenario:
In LDAP resolver from privacyIDEA I added for login, besides email, an attribute without the domain. Example: In keycloak you can login with user1@email.com, in privacyIdea you can login with user1@email.com and user1. It’s working, and I checked the logs and the users that request to authenticate is user1, not user1@email.com. The splitAtSign is unchecked. So, why the domain is removed?

Also, in a production environment, I see that user1@email.com transforms in user1%40email.com. This escape characters change occurs at searching in LDAP. I think that a custom field is used for email, not the mail attribute from LDAP. The mangle settings doesn’t helped me.

It’s that a bug or am I missing something?

Any idea will be helpful, thanks in advance.

Hello community, any idea regarding the escape characters from user1@gmail.com?

Honestly I do not quite understand what you are doing.
Maybe this is why noone is anwering you till now.

Do you really have users with different mail domains in the login name?

Question 1: So do you have

user1@gmail.com
user2@appe.com
user3@xyz.net
?
If not - why use emails? Do not do this!

Hint A: You need to asure, that your default realm then does not have the same name as one of the email domains.

Comment B: I do not understand your “transforms to %40”. Where?
So the important thing you need to be clear about is, how the username arrives at privacyIDEA.

Read this, this should help with your understanding how privacyIDEA reacts to the user data sent via the rest API.

https://privacyidea.readthedocs.io/en/latest/configuration/realms.html

Do you really have users with different mail domains in the login name?
A: No.
You need to asure, that your default realm then does not have the same name as one of the email domains.
A: The login name is : sorin.miron@student.unitbv.ro and the realm name is unitbv. The domain and realm are not the same.

Comment B: I do not understand your “transforms to %40”. Where?
A: In the LDAP filtering process. When I try to login from Keycloak, I see in privacyIDEA’s logs that the user are searched by sorin.miron%40student.unitbv.ro. I will try to get the specific log.

If not - why use emails? Do not do this!
A: The university system is based on email, each student has an email like: firstname.lastname@student.unitbv.ro. In the LDAP server doesn’t exist any property with “firstname.lastname” value. So, unfortunately, it’s a must have to login with email.

Thanks for help.

It sounds to me, as if keycloak is changing (escaping) the @ sign.

You might want to take a look at the mangle policy.