[keycloak-user] Advice on setting up realms
Olivier Rivat
orivat at janua.fr
Thu Mar 21 11:54:50 EDT 2019
Hi Chris,
Couple of points:
1) > Can I make these two types of user coexist in a single realm, or
do I need to split it up?
-Authentication is on a per realm basis
For authentication you configure a corresponding authentication flow, by
default for the entire realm.
With 4.X and, 5.0, you can override the default authentification flow,
for specific client applications
If you want 2 different ways to authenticate (staff with 2FA,
username/apssword + TOPTP ), and external with 1FA (username/password)
best is to have to different realms, withe one realm for staff an other
for external people
2) > How can I enforce policies such as requiring TOTP for our staff?
You just have to indicate that TOTP is required in the realm staff
suathentication flow
3) > Can I prevent users from changing their email address and name in
the account console while still permitting password and authenticator
changes?
At first glance, there seems no specific tuning for this, unless writing
a specific custom plugin.
Vist also our web site for info about TOTP, and realms:
http://www.janua.fr/tag/technical-blog/
Don't hesitate to come back to us if you need any further help
Regards,
Olivier Rivat
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
Le 21/03/2019 à 15:56, Chris Boot a écrit :
> Hi folks,
>
> I’ve been looking for an IdP solution for my employer for months and
> have felt like I’ve been going round and round in circles, until I
> finally gave Keycloak another try. It’s like a breath of fresh air! So
> thanks folks.
>
> Our Keycloak instance will be used to protect about a dozen
> applications, things like our wiki, monitoring control panel, and so on.
> We’ll have two different types of users who will need to use the IdP and
> login to these applications: staff and partners.
>
> Staff will need to login using LDAP federation and will be required to
> use TOTP. They should not be able to use social providers to log in.
> Staff will use their email address to login and all will use a single
> RHS domain for their email addresses.
>
> Partners will not have LDAP accounts, and should be able to opt-in to
> use TOTP. They should ideally also be able to link social accounts (e.g.
> Google or GitHub) to their existing records. Anyone not using our
> corporate email domain, but who has an account, should be considered a
> partner.
>
> Some of our applications can only be configured with a single OIDC or
> SAML provider, so Keycloak would need to handle both types of accounts
> (e.g. staff / partner) from a single login interface.
>
> I therefore have a few questions about how I might achieve such a setup:
>
> - Can I make these two types of user coexist in a single realm, or do I
> need to split it up?
>
> - How can I enforce policies such as requiring TOTP for our staff?
>
> - Can I prevent users from changing their email address and name in the
> account console while still permitting password and authenticator changes?
>
> Thanks in advance for any suggestions.
>
> Cheers,
> Chris
>
--
More information about the keycloak-user
mailing list