[keycloak-user] Realm Config Recommendations

Fri Sep 30 02:36:22 EDT 2016

We're currently re-working user federation SPI, but the new SPI should be
ready in 2.3. Once it is I think you should be able to do what you want.

Bill - can you take a peak at the original use-case and comment if it's
achievable? It's an interesting use-case.

On 30 September 2016 at 07:53, Adam Keily <adam.keily at adelaide.edu.au>
wrote:

> Hi Stian,
>
>
>
> Just revisting this. Can you elaborate on “*you could use the admin
> endpoints to link the KC user to an LDAP user when the student is created
> in LDAP*”
>
>
>
> How do you see this working?
>
>
>
> Adam
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Wednesday, 7 September 2016 10:15 PM
> *To:* Adam Keily <adam.keily at adelaide.edu.au>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Realm Config Recommendations
>
>
>
> If you don't mind having prospective students in LDAP as well you can have
> them created in LDAP when they register in Keycloak. This applies to users
> registering with social IdPs as well. Might even help your onboarding of
> students as you'd already have some details filled in.
>
>
>
> Otherwise you could use the admin endpoints to link the KC user to an LDAP
> user when the student is created in LDAP.
>
>
>
> On 30 August 2016 at 06:17, Adam Keily <adam.keily at adelaide.edu.au> wrote:
>
> Hi,
>
>
>
> I’m new to keycloak and we’re investigating using it within our
> University. In the first instance it would be used as a registration point
> for external users e.g. prospective students etc. They will either register
> via the form or using social IdP’s in order to access various apps for
> these types of users.
>
>
>
> We want to remain open to using Keycloak for our internal (AD / LDAP)
> users to authenticate to these same apps as well as corporate applications.
>
>
>
> The tricky part comes where a prospective student (external identity)
> enrols and becomes a regular student (LDAP user). We would like them to
> continue to be recognised as a single identity and have their registered
> identities merged / linked with their new internal id.
>
>
>
> Hoping someone might be able to provide some guidance on the best way to
> go. There are a few ideas I’ve been testing.
>
>
>
> One is to have a single keycloak realm for user registration and configure
> LDAP as a user federation source. However this would seem to rule out
> linking the accounts?
>
>
>
> Another idea was to configure two realms (internal and external) and have
> the internal realm act as an IdP for the external realm.
>
>
>
> Another option is to create three realms, internal, external and combined.
> The combined realm is used for SSO for all apps and the internal and
> external realms are configured to be IdP’s for the combined realm. I can’t
> help but feel this is starting to get more complicated than is necessary.
>
>
>
> Any guidance or thoughts would be much appreciated.
>
>
>
> Regards
>
> Adam
>
>
>
>
>
> --
>
> Adam Keily
>
> Risk & Security Services
>
> The University of Adelaide
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>