[keycloak-user] Technical Guidance

Stian Thorgersen sthorger at redhat.com
Mon Jan 2 03:24:27 EST 2017 

What about using the Ping provider as the single identity brokering
provider in Keycloak and also set it as the default so the login screen on
Keycloak won't be shown?

On 22 December 2016 at 14:02, Dana Danet <Dana.Danet at evisions.com> wrote:

> I was concerned you might suggest that :).  While a valid option, it
> unfortunately would require me to add hundreds of custom InCommmon
> providers for our customers to handle the user property mappings.  Not to
> mentioned many customer build systems.
>
> Our company has an in-company customer on boarding and integrations team
> has chosen Ping to handle this part of the handshake was would like to hand
> off to Keycloak a SAML 2 token.  Most of them do not like the idea of
> exposing internal request into their systems and would prefer to have the
> login start internally. Additionally I would need to brand every login page
> within Keycloak.
>
> Thoughts?
>
> On Dec 21, 2016, at 10:32 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
> Why not just register the customer IdPs directly with Keycloak using
> identity brokering?
>
> On 22 December 2016 at 02:27, Dana Danet <Dana.Danet at evisions.com> wrote:
>
>> Thank you for responding and I apologize if my question was misleading,
>> let me try again.
>>
>> My requirement is to support a SSO IdM/IdP for customers without their
>> own system, ideally in a multi tenant way, and to support SSO for customers
>> that have on-premise SSO implementations, mostly are InCommon.
>>
>> We have decided to implement Ping as a SP to handshake with the
>> on-premise (InCommon) customers. Since these integration points could be
>> more than just InCommon.  My thought is that Ping will accept the authN,
>> translate the properties to a grant (SAML2) and forward to Keycloak to
>> create the JWT.  I attached a image reflecting this below.
>>
>> My question is how would I register within Keycloak that AuthN would be
>> handled by Ping, and to create a JWT.
>>
>>
>>
>>
>> On Dec 15, 2016, at 11:41 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>> Not quite sure what you're asking here as there seems to be 3 IdPs?
>> Customer IdP, Ping and Keycloak?
>>
>> On 14 December 2016 at 17:25, Dana Danet <Dana.Danet at evisions.com> wrote:
>>
>>> I just recently introduced KC to a Spring Cloud micro-service
>>> environment as the IDM and Oauth manager of JWT tokens.  Front end clients
>>> are implementing the javascript adapter and backend Spring Boot services
>>> are implemented with the Spring Security adapter (not boot adapter).  Our
>>> Service Gateway (Zuul) simply passes the token to backend services.
>>>
>>> My question is regarding offloading offloading AuthN and IDP to external
>>> systems and then brokering to Keycloak for JWT creation.  Which would look
>>> something like
>>>   ( Customer on premise AuthN) —> Ping —>  Keycloak.  Ping has been
>>> introduced purely as an SP to handle customers implementations of
>>> Shibboleth and Incommon.  Initially I was thinking that IDP - Ping SP
>>> mapping is all done via Ping and then a canonical SAML exchange to Keycloak.
>>>
>>> Is this possible?  I would appreciate some guidance here.
>>>
>>> -dana
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>
>

More information about the keycloak-user mailing list