[keycloak-user] Mutual Trust via Identity Brokering

Michael Poettgen MPoettgen at clifford-thames.com
Wed Nov 15 06:34:01 EST 2017

Hello Everyone,

We would like to set up two (or more) Keycloak systems (in different, remote locations) and would like to establish something like mutual trust between them using Identity Brokering. For two IdPs A and B, each of the two should have their own accounts and should be set up to broker to the other IdP, e.g. via 'Keycloak OpenID Connect'. This would have the advantage that a client of A could be used by a user of B and vice versa.

Is this something that

*         Definitely works

*         Works, but with pitfalls ...

*         Should work

*         Doesn't work, because ...

Interesting situation may be, if a user tries to use a client and is redirect to IdP A, where he then clicks on "Authenticate via IdP B", where he then clicks on "Authenticate via IdP A", where he then clicks on "Authenticate via IdP B" and so on. Can this be avoided?


This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.

More information about the keycloak-user mailing list