[keycloak-user] Is keycloak the tool I'm looking for? selective AD user sync

Tue Aug 7 09:08:28 EDT 2018

Hi Francesco, sorry for late response,

Well, seems you've got quite a soup of different applications, and
bringing Keycloak in control of *all* of them may be quite challenging.

First, you'll need to understand what Keycloak is and what it is not.
Keycloak is an SSO (Single Sign-On) and IAM (Identity and Access
Management) solution intended for securing web applications (but not
limited to them).

This is done with the help of OpenID Connect and SAML protocols. So the
first question you'll need to answer is: which applications already
support this, or could support with minimal efforts?

I think that Redmine and NextCloud fall into this category.
OIDC/SAML enabling is usually done by the means of some 
adapters/plugins/extensions, or whatever this might be called in the 
target app's terms. So this should become number one on your list.

AD integration is completely different stuff. This is called user
federation, and its purpose is to combine several external user data
sources into a single, unified virtual one. AFAIK, there is no OOTB
mechanism to define which external AD the newly created user should go
to. But what we love about Keycloak is its ultimate extensibility, so
I wouldn't rule out the possibility of implementing this with the help 
of an extension.

GSuite, in its turn, is completely standalone here. AFAIK it supports
only Google's authentication, and doesn't allow to delegate it to 3rd
party services (or does it?) One of the possible variants is using Okta, but it:
1) actually works as a password manager,
2) installs a browser plugin,
3) requires commercial subscription.

Hope this helps, and good luck with Keycloak!

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Tue, 2018-07-24 at 14:15 +0200, jlord87 at gmail.com wrote:
> Hello guys,
> 
> I'm really new to keycloak and I need your help to understand if this
> is what I'm really looking for;
> I am the IT administrator in a non-profit environment, managing servers
> and services for several non-profit organization.
> 
> What I'm trying to achive is the centralization of the authentication
> and authorization process: every user should just have one password and
> one "username".
> The difficult part is that the environment I work in is really "fluid":
> there are a lot of person working or volunteering in one or more
> different organization. Every organization has its own active directory
> server (to manage desktop authentication and some CIFS share), its own
> gsuite (for emails) and at the same time, there are services shared by
> all (or some) of these organization (like a redmine ticketing system,
> nextcloud file server and so on).
> 
> What I'm dreaming of is to manage everything from a single software (I
> tried gluu but it had some annual fees we cannot afford to pay): I
> would like to create an user (something like name.surname) and add to
> this user "permissions", something like "user1 should be able to access
> gsuite 1, gsuite2, nextcloud and active directory 1".
> I've uploaded a scheme in this pdf: 
> https://mega.nz/#!z4InTCaa!ngyWks8yoN7rrW-NR6RXnPJ32tCKSz0snWB1c7lFEbg
> 
> Do you think keycloak is capable of this? I played around a bit, read a
> lot of documentation and what I wasn't able to achive was a selective
> active directory user sync...
> Maybe my error was trying to do everything in the same realm, what do
> you think about it?
> 
> Thank you for any hint
> 
> Francesco
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user