[keycloak-user] Is keycloak the tool I'm looking for? selective AD user sync

jlord87 at gmail.com jlord87 at gmail.com
Wed Aug 8 06:58:13 EDT 2018 

Thank you Dmitry for your reply

> > I think that Redmine and NextCloud fall into this
> > category.OIDC/SAML enabling is usually done by the means of
> > some adapters/plugins/extensions, or whatever this might be called
> > in the target app's terms. So this should become number one on your
> > list.

I do agree, I've already made some test, it should be quite easy
> > AD integration is completely different stuff. This is called
> > userfederation, and its purpose is to combine several external user
> > datasources into a single, unified virtual one. AFAIK, there is no
> > OOTBmechanism to define which external AD the newly created user
> > should goto. 

Too bad, I would have probably needed the opposite, some kind of "user
propagation".Would it makes any sense to create a realm for each AD and
configure as Identity provider another "master" realm - acting as
centralized user repository -  in wich I would create a client template
for every AD?
> > But what we love about Keycloak is its ultimate extensibility, soI
> > wouldn't rule out the possibility of implementing this with the
> > help of an extension.

Well, I'll be here waiting for this to happen :)
> > GSuite, in its turn, is completely standalone here. AFAIK it
> > supportsonly Google's authentication, and doesn't allow to delegate
> > it to 3rdparty services (or does it?)

Gsuite should be able to act as SAML Identity Provider or as a Service
Provider (https://support.google.com/a/answer/60224?hl=en)..It would
probabily be "easy" to connect also this piece of the puzzle..
Thank you again!
On Tue, 2018-08-07 at 16:08 +0300, Dmitry Telegin wrote:
> Hi Francesco, sorry for late response,
> Well, seems you've got quite a soup of different applications,
> andbringing Keycloak in control of *all* of them may be quite
> challenging.
> First, you'll need to understand what Keycloak is and what it is
> not.Keycloak is an SSO (Single Sign-On) and IAM (Identity and
> AccessManagement) solution intended for securing web applications
> (but notlimited to them).
> This is done with the help of OpenID Connect and SAML protocols. So
> thefirst question you'll need to answer is: which applications
> alreadysupport this, or could support with minimal efforts?
> I think that Redmine and NextCloud fall into this category.OIDC/SAML
> enabling is usually done by the means of
> some adapters/plugins/extensions, or whatever this might be called in
> the target app's terms. So this should become number one on your
> list.
> AD integration is completely different stuff. This is called
> userfederation, and its purpose is to combine several external user
> datasources into a single, unified virtual one. AFAIK, there is no
> OOTBmechanism to define which external AD the newly created user
> should goto. But what we love about Keycloak is its ultimate
> extensibility, soI wouldn't rule out the possibility of implementing
> this with the help of an extension.
> GSuite, in its turn, is completely standalone here. AFAIK it
> supportsonly Google's authentication, and doesn't allow to delegate
> it to 3rdparty services (or does it?) One of the possible variants is
> using Okta, but it:1) actually works as a password manager,2)
> installs a browser plugin,3) requires commercial subscription.
> Hope this helps, and good luck with Keycloak!
> Dmitry TeleginCTO, Acutus s.r.o.Keycloak Consulting and Training
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic+42 (022)
> 888-30-71E-mail: info at acutus.pro
> On Tue, 2018-07-24 at 14:15 +0200, jlord87 at gmail.com wrote:Hello
> guys,
> I'm really new to keycloak and I need your help to understand if
> thisis what I'm really looking for;I am the IT administrator in a
> non-profit environment, managing serversand services for several non-
> profit organization.
> What I'm trying to achive is the centralization of the
> authenticationand authorization process: every user should just have
> one password andone "username".The difficult part is that the
> environment I work in is really "fluid":there are a lot of person
> working or volunteering in one or moredifferent organization. Every
> organization has its own active directoryserver (to manage desktop
> authentication and some CIFS share), its owngsuite (for emails) and
> at the same time, there are services shared byall (or some) of these
> organization (like a redmine ticketing system,nextcloud file server
> and so on).
> What I'm dreaming of is to manage everything from a single software
> (Itried gluu but it had some annual fees we cannot afford to pay):
> Iwould like to create an user (something like name.surname) and add
> tothis user "permissions", something like "user1 should be able to
> accessgsuite 1, gsuite2, nextcloud and active directory 1".I've
> uploaded a scheme in this pdf: 
> https://mega.nz/#!z4InTCaa!ngyWks8yoN7rrW-NR6RXnPJ32tCKSz0snWB1c7lFEbg
> Do you think keycloak is capable of this? I played around a bit, read
> alot of documentation and what I wasn't able to achive was a
> selectiveactive directory user sync...Maybe my error was trying to do
> everything in the same realm, what doyou think about it?
> Thank you for any hint
> Francesco
> _______________________________________________keycloak-user mailing
> listkeycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list