[keycloak-user] SaaS idp brokering

[Dmitry Telegin]

Hi, you're welcome,

On Wed, 2018-11-14 at 18:37 +0100, lists wrote:
> Hi Dmitri,
> 
> Thanks for your follow-up.
> 
> The idea is to both keep our current IdP's, and use an 'umbrella' 
> brokering IdP for the applications that need to be shared between the 
> two institutes.
> 
> It's just the brokering IdP that has to be SaaS.

Thanks for the info, it's clear now.

> We also just discovered Ping Identity, making our shortlist:
> 
> - PingIdentity
> - OneLogin
> - okta
> - gluu
> 
> Anyone here with arguments against / in favour of / experience with one 
> of these options?

I used to work with PingIdentity (or rather on-premise PingFederate) and Okta, using SAML in both cases, and the results were perfect. For Okta, I'd recommend an excellent article by Michael Furman [1]. Michael uses SAML too; don't know if you're going to use SAML or OpenID Connect, but in the latter case the process should be similar. Please read this [2] on the protocol choice.

NB you can use whatever combination of protocols you like (OIDC at Keycloak + SAML at Saas IdP or vice versa), but probably unless you're seriously considering IdP-initiated login. In that case, things work more smoothly with pure SAML.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

[1] https://ultimatesecurity.pro/post/okta-saml/
[2] https://www.keycloak.org/docs/latest/securing_apps/index.html#openid-connect-vs-saml

> 
> MJ
> 
> On 14-11-2018 4:15, Dmitry Telegin wrote:
> > Quick question: do you plan to decommission both your Keycloak and
> > sister institute's IdP, and migrate everything to a SaaS IdP? Or you
> > want both your IdPs broker to SaaS? Or is your sister institute going
> > to migrate to SaaS IdP, and you have to broker to it from your
> > Keycloak?