[keycloak-dev] SAML as social login?
mcaspers at redhat.com
Tue Feb 4 15:57:08 EST 2014
The value KeyCloak offers us (if I understand correctly) is that we can build applications against KeyCloak and not have to worry about where the users details eventually come from. In our local deployment, KeyCloak might be nothing more than a middleman between our application and an existing SSO solution. But it is nice to be able to support other deployment scenarios where KeyCloak is used as a complete and independent security solution, with no changes to our code.
So it is very valuable to us to have a project like KeyCloak providing a sliding scale solution from "just bouncing messages between the browser and the existing user database" to "we have no existing user database, so KeyCloak has to do everything" with little more than a few toggles in a UI.
RHCE, RHCJA # 111-072-237
Engineering Content Services
----- Original Message -----
From: "Bill Burke" <bburke at redhat.com>
To: keycloak-dev at lists.jboss.org
Sent: Wednesday, 5 February, 2014 1:26:49 AM
Subject: Re: [keycloak-dev] SAML as social login?
I guess this would be interesting in the case where your federated IDP
didn't have role and session mgmt, single sign off, oauth/openid connect
support? Would Keycloak offer enough value add in this scenario?
On 2/4/2014 7:30 AM, Stian Thorgersen wrote:
> In theory that should work. The social login feature at the moment has only been tested for OAuth and OAuth2 providers, so may need some tweaking for a SAML provider.
> We're also assuming that a social provider is able to retrieve a basic user profile (https://github.com/keycloak/keycloak/blob/master/social/google/src/main/java/org/keycloak/social/google/GoogleProvider.java#L85), but you could just return a username and require users to update their profile on first social login ("Update profile on first social login" option on realm settings in admin console).
> In the future we plan to provide support for federation of authentication (other Keycloak realms, SAML, LDAP, etc.), but this is a good way to get something working with what Keycloak provides at the moment.
> By the way at the moment the admin console has a hard-coded list of social providers, but in the next release this will be dynamic. So all you'd need is to add a jar that implements the social provider spi, and it will be available to configure it for a realm through the admin console.
> ----- Original Message -----
>> From: "Matt Casperson" <mcaspers at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Sunday, 2 February, 2014 8:56:48 PM
>> Subject: [keycloak-dev] SAML as social login?
>> If I am reading
>> correctly, the only thing needed for a Keycloak social login is a URL to a
>> login page that the user can be directed to when they are not logged in, and
>> to have that login page send back a response that Keycloak can use to verify
>> the user and get their details.
>> So if I had appropriate permissions to use https://saml.redhat.com/idp/,
>> could that be added as a social login?
>> Matthew Casperson
>> RHCE, RHCJA # 111-072-237
>> Engineering Content Services
>> Brisbane, Australia
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
JBoss, a division of Red Hat
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the keycloak-dev