[keycloak-user] SSO amongst two realms

[Jason Axley]

Could you possibly support “Authenticate by default” with a “fallback to the local realm”?  It would be nice to have certain users attached to a particular realm realm1 but have Keycloak internally attempt to authenticate first against another realm so you can get the effect of a union of the users across the two realms.  The user experience with the federation buttons as an alternative makes this configuration complexity exposed to the user and I’d prefer to not have to do that.

-Jason

From: <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>>
Date: Wednesday, February 24, 2016 at 11:25 PM
To: Sarp Kaya <akaya at expedia.com<mailto:akaya at expedia.com>>, "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] SSO amongst two realms

It's possible to achieve something like this with identity provider. You can create identityProvider in realm2, which will authenticate against realm1. In that case, there will be button in login screen of realm2 like "Login with realm1" and when user clicks on this, he will be logged-in automatically. There is also possibility to use switch "Authenticate by default" in identity provider and then login screen of realm2 won't be shown, but instead it will always automatically redirect to realm1 login screen.

The thing is, that you will end with duplicated user accounts (Account of user "john" will be in both realm1 and realm2). AFAIK we plan to improve this in the future to have this use-case more "friendly" as more people ask about that.

Marek

On 25/02/16 01:39, Sarp Kaya wrote:
Hi,

I want to know whether it is possible to have SSO amongst two realms. Ie User 1 logins to an app1 that auths against realm1, then user 1 tries to use app2 which auths against realm2 which should work fine as user 1 logged into realm1 before and it should SSO into app2 fine.

If this is possible then what would be the setup like?

Kind Regards,
Sarp



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/1b63038e/attachment.html