[keycloak-dev] Support for SSO bridge with shared user base

Vlastimil Elias velias at redhat.com
Mon Oct 12 04:23:10 EDT 2015 

Hi Josh,

On 9.10.2015 15:22, Josh Cain wrote:
> We've got a similar use case - an externally managed SAML IDP is 
> sending users our way, and we need to map them to an existing user 
> base.  There are no attributes that we can definitively use to map our 
> users to incoming users from the external SAML IDP.  We currently 
> allow the users to authenticate on our side on their first trip, then 
> store an association between internal/external users. This association 
> is used on subsequent trips so that users don't have to sign in again.

I believe Keycloak is able to do what you need (which is a bit different 
from wtat I need), it allows linking of external users to internal ones 
definitely. But there are some gotchas in user linking flows.
Keycloak implementation assumes that external users are primarily new 
users and is trying to create new Keycloak accounts for them without any 
GUI interaction.
But this is not very good in case when users primarily exist in the 
Keycloak and you can only link additional external accounts to them. 
There are also some problems with user conflict resolution.

I created next two issues related to these problems based on our 
experiences:
https://issues.jboss.org/browse/KEYCLOAK-1374
https://issues.jboss.org/browse/KEYCLOAK-1540

There was also some discussions about this topic on Keycloak mailing 
list two or three months ago and there is other issue for this topic
https://issues.jboss.org/browse/KEYCLOAK-1750

Hope this topic will be resolved soon.

Vlastimil

> We've currently got this working in Picketlink, but will need to 
> accommodate this use case with the keycloak migration coming up in the 
> future.
>
> To your question of pointing the SAML website to keycloak, it is a 
> third party's IDP.
>
> Is this sort of thing really that uncommon?  I'd imagine we're not the 
> only ones without a definitive mapping attribute, or a many-one 
> mapping.  Anyway, are the SPI's currently in place, or are there some 
> out there that would do the trick for this?
>
> Thanks in advance!
>
> Josh Cain | Software Applications Engineer
> /Identity and Access Management/
> *Red Hat*
> +1 843-737-1735
>
>
> On Fri, Oct 9, 2015 at 9:05 AM, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     I'd rather have the appropriate SPIs be extended then have this
>     feature
>     native in keycloak as it seems very specific to your deployment.
>
>     BTW, why not just point the SAML website to Keycloak? Keycloak
>     supports
>     SAML.
>
>     On 10/9/2015 5:39 AM, Vlastimil Elias wrote:
>     > Hi,
>     >
>     >
>     > I'd like to implement SSO bridge between Keycloak used for our
>     website,
>     > and other SAML 2 based SSO server used by another website.
>     >
>     > Both SSO servers share common user base (user federation provider in
>     > keycloak against same user store as the SAML SSO server).
>     >
>     > What I want to achieve is that once user is logged in on other
>     SAML SSO
>     > server and then comes to Keycloak site I'd like to login him there
>     > automatically.
>     >
>     > What I can do is to configure SAML Identity Provider in Keycloak and
>     > enable "Authenticate By Default" for it. But I think this will
>     always
>     > lead to user creation conflict in Keycloak as we share user
>     base. I have
>     > to somehow force this "SAML Identity Provider" in keycloak to
>     directly
>     > use existing Keycloak users instead of creating new one and
>     linking to them.
>     >
>     > Is this somehow achievable in Keycloak 1.5, eg. by development
>     of some
>     > extension? From what I know I think it s not achievable and
>     feature must
>     > be coded into keycloak core.
>     >
>     >
>     > And one other question ;-)
>     > When "Authenticate By Default" is used for some Identity
>     Provider then I
>     > believe that Keycloak redirects user's browser to this provider in
>     > passive mode before showing own login page to get identity from
>     it if
>     > any. But what happen if the provider is unreachable? In this
>     case user
>     > finishes with erro page and is not able to login into Keycloak
>     at all.
>     > Is Keycloak able to detect provider failure and stop redirecting
>     user
>     > there?
>     >
>     > Thanks in advance
>     >
>     > Vlastimil
>     >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151012/72f39607/attachment.html

More information about the keycloak-dev mailing list