[keycloak-user] Fwd: Custom Identity Brokering for a CAS Server
Erlend Hamnaberg
erlend at hamnaberg.net
Thu Aug 16 02:25:52 EDT 2018
Whops, Forgot to send this to the list.
Sure.
It all depends on how you want to implement this. You can for instance
implement the Authenticator SPI or by using the IdentityProvider SPI.
These are very differerent implementation. I have used the IdentityProvider
SPI, and used the client libs from CAS.
If you are able to change the CAS server install, you can add the OpenId
Connect plugin and then the implementation becomes trivial, as you only
need to add that as a OIDC IdentityProvider config.
For my client, that was not possible.
/Erlend
On Wed, Aug 15, 2018 at 8:28 PM, Meissa M'baye Sakho <msakho at redhat.com>
wrote:
> Erlend,
> At least, you could give inputs if you are not allowed to publish.
>
> 2018-08-14 13:00 GMT+02:00 Erlend Hamnaberg <erlend at hamnaberg.net>:
>
>> I have done this for my client.
>>
>> It is quite possible to do, however it is not trivial.
>> Not sure if I'm allowed to publish the source for the integration, but I
>> will ask.
>>
>>
>> /Erlend
>>
>> On Tue, Aug 14, 2018 at 12:07 PM, Rémy Grünblatt <remy at grunblatt.org>
>> wrote:
>>
>>> Hi,
>>>
>>> This adds a client protocol, what we are searching for is the other way
>>> around (use the CAS as a provider).
>>>
>>> Thanks,
>>> Rémy
>>>
>>> Le 14 août 2018 11:51:41 GMT+02:00, Meissa M'baye Sakho <
>>> msakho at redhat.com> a écrit :
>>> >Remy,
>>> >take a look at this [1]
>>> > [1] =https://github.com/Doccrazy/keycloak-protocol-cas
>>> >
>>> >Meissa
>>> >
>>> >2018-08-14 11:25 GMT+02:00 Rémy Grünblatt <remy at grunblatt.org>:
>>> >
>>> >> Hello,
>>> >>
>>> >> We would like to have a Keycloak server use data from a legacy auth
>>> >> system (namely, a CAS server,
>>> >> https://en.wikipedia.org/wiki/Central_Authentication_Service ) to
>>> >> authenticate people. We do not have admin rights on the CAS server,
>>> >nor
>>> >> we are able to access the underlying ldap database it uses
>>> >internally.
>>> >>
>>> >> People would be able to have « pure » keycloak accounts (new users),
>>> >but
>>> >> also link their identity from the CAS or use the CAS to identify, and
>>> >> create an account the first time they do so.
>>> >>
>>> >> I tried to find documentation to develop our own identity provider
>>> >(as
>>> >> Keycloak only has an social, oidc, and saml providers), but I find it
>>> >> difficult to guess what are the interfaces we need to implement.
>>> >>
>>> >> Right now, this is what I have:
>>> >https://github.com/Reventl0v/KeycloakCAS
>>> >>
>>> >>
>>> >> So, questions:
>>> >>
>>> >> - Is there somewhere listing everything we need to implement beside
>>> >> looking at the code of keycloak?
>>> >> - Is there online some custom provider example code for something
>>> >that
>>> >> is not talking oidc, saml, or is a social provider?
>>> >> - Do you think it's a good idea to create such a provider?
>>> >>
>>> >>
>>> >> I found
>>> >>
>>> >http://lists.jboss.org/pipermail/keycloak-user/2017-October/012100.html
>>> >> but I have no news about the result of this enterprise: Dominik (can
>>> >I
>>> >> call you Dominik?), did you manage to achieve this goal?
>>> >>
>>> >> Many thanks,
>>> >>
>>> >> Rémy
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> keycloak-user mailing list
>>> >> keycloak-user at lists.jboss.org
>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> --
>>> Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser
>>> ma brièveté.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
More information about the keycloak-user
mailing list