<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Josh,<br>
<br>
<div class="moz-cite-prefix">On 9.10.2015 15:22, Josh Cain wrote:<br>
</div>
<blockquote
cite="mid:CA+z0A8A5ODUP3Yomm9AkPdOvKZ8AVwO-9+7JJPGtWZF+OTzsog@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>We've got a similar use case - an externally managed
SAML IDP is sending users our way, and we need to map them
to an existing user base. There are no attributes that we
can definitively use to map our users to incoming users
from the external SAML IDP. We currently allow the users
to authenticate on our side on their first trip, then
store an association between internal/external users.
This association is used on subsequent trips so that users
don't have to sign in again. </div>
</div>
</div>
</div>
</blockquote>
<br>
I believe Keycloak is able to do what you need (which is a bit
different from wtat I need), it allows linking of external users to
internal ones definitely. But there are some gotchas in user linking
flows. <br>
Keycloak implementation assumes that external users are primarily
new users and is trying to create new Keycloak accounts for them
without any GUI interaction. <br>
But this is not very good in case when users primarily exist in the
Keycloak and you can only link additional external accounts to them.
There are also some problems with user conflict resolution.<br>
<br>
I created next two issues related to these problems based on our
experiences:<br>
<a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-1374">https://issues.jboss.org/browse/KEYCLOAK-1374</a><br>
<a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-1540">https://issues.jboss.org/browse/KEYCLOAK-1540</a><br>
<br>
There was also some discussions about this topic on Keycloak mailing
list two or three months ago and there is other issue for this topic<br>
<a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-1750">https://issues.jboss.org/browse/KEYCLOAK-1750</a><br>
<br>
Hope this topic will be resolved soon.<br>
<br>
Vlastimil<br>
<br>
<blockquote
cite="mid:CA+z0A8A5ODUP3Yomm9AkPdOvKZ8AVwO-9+7JJPGtWZF+OTzsog@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>We've currently got this working in Picketlink, but
will need to accommodate this use case with the keycloak
migration coming up in the future.<br>
<br>
</div>
To your question of pointing the SAML website to keycloak,
it is a third party's IDP.<br>
<br>
</div>
Is this sort of thing really that uncommon? I'd imagine we're
not the only ones without a definitive mapping attribute, or a
many-one mapping. Anyway, are the SPI's currently in place,
or are there some out there that would do the trick for this?<br>
<br>
</div>
Thanks in advance!<br>
<br clear="all">
<div class="gmail_extra">
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div>Josh Cain | Software Applications Engineer<br>
</div>
<i>Identity and Access Management</i><br>
</div>
<b>Red Hat</b><br>
+1 843-737-1735<br>
<br>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Fri, Oct 9, 2015 at 9:05 AM, Bill
Burke <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">I'd
rather have the appropriate SPIs be extended then have
this feature<br>
native in keycloak as it seems very specific to your
deployment.<br>
<br>
BTW, why not just point the SAML website to Keycloak?
Keycloak supports<br>
SAML.<br>
<div class="HOEnZb">
<div class="h5"><br>
On 10/9/2015 5:39 AM, Vlastimil Elias wrote:<br>
> Hi,<br>
><br>
><br>
> I'd like to implement SSO bridge between Keycloak
used for our website,<br>
> and other SAML 2 based SSO server used by another
website.<br>
><br>
> Both SSO servers share common user base (user
federation provider in<br>
> keycloak against same user store as the SAML SSO
server).<br>
><br>
> What I want to achieve is that once user is
logged in on other SAML SSO<br>
> server and then comes to Keycloak site I'd like
to login him there<br>
> automatically.<br>
><br>
> What I can do is to configure SAML Identity
Provider in Keycloak and<br>
> enable "Authenticate By Default" for it. But I
think this will always<br>
> lead to user creation conflict in Keycloak as we
share user base. I have<br>
> to somehow force this "SAML Identity Provider" in
keycloak to directly<br>
> use existing Keycloak users instead of creating
new one and linking to them.<br>
><br>
> Is this somehow achievable in Keycloak 1.5, eg.
by development of some<br>
> extension? From what I know I think it s not
achievable and feature must<br>
> be coded into keycloak core.<br>
><br>
><br>
> And one other question ;-)<br>
> When "Authenticate By Default" is used for some
Identity Provider then I<br>
> believe that Keycloak redirects user's browser to
this provider in<br>
> passive mode before showing own login page to get
identity from it if<br>
> any. But what happen if the provider is
unreachable? In this case user<br>
> finishes with erro page and is not able to login
into Keycloak at all.<br>
> Is Keycloak able to detect provider failure and
stop redirecting user<br>
> there?<br>
><br>
> Thanks in advance<br>
><br>
> Vlastimil<br>
><br>
<br>
--<br>
</div>
</div>
<span class="HOEnZb"><font color="#888888">Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com" rel="noreferrer"
target="_blank">http://bill.burkecentral.com</a><br>
</font></span>
<div class="HOEnZb">
<div class="h5">_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team</pre>
</body>
</html>