[keycloak-user] Advice on setting up realms

Thu Mar 21 12:33:21 EDT 2019

On 3/21/2019 11:54 AM, Olivier Rivat wrote:
> Hi Chris,
>
>
> Couple of points:
> 1) >  Can I make these two types of user coexist in a single realm, or
> do I need to split it up?
>
> -Authentication is on a per realm basis
> For authentication you configure a corresponding authentication flow, by
> default for the entire realm.
>
> With 4.X and, 5.0, you can override the default authentification flow,
> for specific client applications
>
> If you want 2 different ways to authenticate (staff with 2FA,
> username/apssword + TOPTP ), and external with 1FA (username/password)
> best is to have to different realms, withe one realm for staff an other
> for external people
>
>
> 2) > How can I enforce policies such as requiring TOTP for our staff?
> You just have to indicate that TOTP is required in the realm staff
> suathentication flow
>
>
> 3) > Can I prevent users from changing their email address and name in
> the account console while still permitting password and authenticator
> changes?
> At first glance, there seems no specific tuning for this, unless writing
> a specific custom plugin.
>
>
> Vist also our web site for info about TOTP, and realms:
> http://www.janua.fr/tag/technical-blog/
>
>
> Don't hesitate to come back to us if you need any further help
>
> Regards,
>
> Olivier Rivat
>
>
>
> <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
>
> 	<http://www.janua.fr/images/6g_top.gif>
> 	
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> Tél: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
> 	<http://www.janua.fr/images/6g_top.gif>
>
>
> Le 21/03/2019 à 15:56, Chris Boot a écrit :
>> Hi folks,
>>
>> I’ve been looking for an IdP solution for my employer for months and
>> have felt like I’ve been going round and round in circles, until I
>> finally gave Keycloak another try. It’s like a breath of fresh air! So
>> thanks folks.
>>
>> Our Keycloak instance will be used to protect about a dozen
>> applications, things like our wiki, monitoring control panel, and so on.
>> We’ll have two different types of users who will need to use the IdP and
>> login to these applications: staff and partners.
>>
>> Staff will need to login using LDAP federation and will be required to
>> use TOTP. They should not be able to use social providers to log in.
>> Staff will use their email address to login and all will use a single
>> RHS domain for their email addresses.
>>
>> Partners will not have LDAP accounts, and should be able to opt-in to
>> use TOTP. They should ideally also be able to link social accounts (e.g.
>> Google or GitHub) to their existing records. Anyone not using our
>> corporate email domain, but who has an account, should be considered a
>> partner.
>>
>> Some of our applications can only be configured with a single OIDC or
>> SAML provider, so Keycloak would need to handle both types of accounts
>> (e.g. staff / partner) from a single login interface.
>>
>> I therefore have a few questions about how I might achieve such a setup:
>>
>> - Can I make these two types of user coexist in a single realm, or do I
>> need to split it up?
>>
>> - How can I enforce policies such as requiring TOTP for our staff?
>>
>> - Can I prevent users from changing their email address and name in the
>> account console while still permitting password and authenticator changes?
You can make the email field readonly by changing the HTML in the 
account theme.  This does not prevent someone from manually sending a 
post to the server that would change it, but it might be enough for your 
purposes.
>>
>> Thanks in advance for any suggestions.
>>
>> Cheers,
>> Chris
>>
> --
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user