<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div><span></span></div><div id="yui_3_16_0_1_1423948566567_2593" dir="ltr">Bill - Just wanted to let you know the Identity Broker currently being built meets my requirements. I have successfully tested out a complex scenario (given below) involving both SPNEGO as well as SAML Service Provider functionality</div><div id="yui_3_16_0_1_1423948566567_2663" dir="ltr"><br></div><div id="yui_3_16_0_1_1423948566567_2671" dir="ltr">1) KC on two hosts acting as SAML IDP using SPNEGO as Identity Broker.</div><div id="yui_3_16_0_1_1423948566567_2707" dir="ltr">2) KC on another host acting as SAML SP communicating with IDP (Point 1) and a client using OpenID Connect (Point 3)</div><div id="yui_3_16_0_1_1423948566567_2758" dir="ltr">3) A Client application communicating with KC (refer to Point 2) using OpenID Connect</div><div id="yui_3_16_0_1_1423948566567_2759" dir="ltr"><br></div><div id="yui_3_16_0_1_1423948566567_3068" dir="ltr">Any user accessing the client application will now be seamlessly authenticated without entering password. Now I am looking for the "custom profiles" functionality which would help me move forward. Just to reiterate my requirement - once the user is authenticated, I would like to make a LDAP call (in some cases multiple calls to different repositories) to retrieve all user information that should eventually be populated in the SAML claims or OIDC id_token selectively. </div><div id="yui_3_16_0_1_1423948566567_3012" dir="ltr"><br></div><div id="yui_3_16_0_1_1423948566567_3013" dir="ltr">A big thank you to you and the entire dev team for accommodating our requests :-). Great Job!!!</div><div id="yui_3_16_0_1_1423948566567_2868" dir="ltr"><br></div><div id="yui_3_16_0_1_1423948566567_3191" dir="ltr">Regards,</div><div id="yui_3_16_0_1_1423948566567_3229" dir="ltr">Raghu<br></div><div id="yui_3_16_0_1_1423948566567_2564" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1423948566567_2563" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1423948566567_2592" dir="ltr"> <hr size="1" id="yui_3_16_0_1_1423948566567_2851"> <font id="yui_3_16_0_1_1423948566567_2633" face="Arial" size="2"> <b><span style="font-weight: bold;">From:</span></b> Raghu Prabhala <prabhalar@yahoo.com><br> <b><span style="font-weight: bold;">To:</span></b> Bill Burke <bburke@redhat.com>; "keycloak-user@lists.jboss.org" <keycloak-user@lists.jboss.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Monday, February 9, 2015 8:13 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [keycloak-user] Keycloak 1.1.0.Final Released<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1423948566567_2562"><br><div id="yiv0228592185"><div id="yui_3_16_0_1_1423948566567_2561"><div id="yui_3_16_0_1_1423948566567_2560" style="color: rgb(0, 0, 0); font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);"><div><span></span></div><div id="yiv0228592185yui_3_16_0_1_1423487107097_2892" dir="ltr">I think that would satisfy my requirements - but not sure until I see that bridge along with the Identity broker functionality in the next beta release - eagerly waiting for it.</div><div class="qtdSeparateBR"><br><br></div><div class="yiv0228592185yqt6182559582" id="yiv0228592185yqt76694"><div id="yiv0228592185yui_3_16_0_1_1423487107097_2881" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yiv0228592185yui_3_16_0_1_1423487107097_2880" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yiv0228592185yui_3_16_0_1_1423487107097_2879" dir="ltr"> <hr size="1" id="yiv0228592185yui_3_16_0_1_1423487107097_2894"> <font id="yiv0228592185yui_3_16_0_1_1423487107097_2878" face="Arial" size="2"> <b><span style="font-weight: bold;">From:</span></b> Bill Burke <bburke@redhat.com><br clear="none"> <b><span style="font-weight: bold;">To:</span></b> keycloak-user@lists.jboss.org <br clear="none"> <b><span style="font-weight: bold;">Sent:</span></b> Friday, February 6, 2015 10:21 AM<br clear="none"> <b><span style="font-weight: bold;">Subject:</span></b> Re: [keycloak-user] Keycloak 1.1.0.Final Released<br clear="none"> </font> </div> <div class="yiv0228592185y_msg_container" id="yiv0228592185yui_3_16_0_1_1423487107097_2909"><br clear="none">Keycloak won't be a kerberos server any time soon, if ever. We are <br clear="none">creating a SAML/OIDC to kerberos bridge though.<br clear="none"><br clear="none">On 1/30/2015 10:52 AM, Raghu Prabhala wrote:<br clear="none">> Unfortunately yes. Kerberos is deeply ingrained in most of internal applications/processes. While we can ask any new applications to use certificates, we have to support Kerberos.<br clear="none">><br clear="none">> If that is not something that you will support, probably identity brokering would help. I can write a Kerberos broker as long as it is given control ( need http request) immediately by Keycloak, perhaps I can handle both authentication with key tabs (for system accts) as well as SPNEGO for users<br clear="none">><br clear="none">> Sent from my iPhone<br clear="none">><br clear="none">>> On Jan 30, 2015, at 9:01 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br clear="none">>><br clear="none">>><br clear="none">>><br clear="none">>> ----- Original Message -----<br clear="none">>>> From: "Raghu Prabhala" <<a href="mailto:prabhalar@yahoo.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>><br clear="none">>>> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>><br clear="none">>>> Cc: "keycloak dev" <<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>>, "keycloak-user" <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br clear="none">>>> Sent: Friday, 30 January, 2015 2:44:14 PM<br clear="none">>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released<br clear="none">>>><br clear="none">>>> Great. Looking forward to the 1.2 Beta version.<br clear="none">>>> Regarding the system account support, from my perspective, it is very<br clear="none">>>> important because we have thousands of applications that interact with each<br clear="none">>>> other using system accounts (authentication with Kerberos with keytabs) and<br clear="none">>>> till we have that functionality, we will not be able to consider Keycloak as<br clear="none">>>> a SSO solution even though it is coming out to be a good product. The sooner<br clear="none">>>> we have it, the better. Hopefully, even other users will pitch in to request<br clear="none">>>> that functionality so that you can bump it up in your priority list.<br clear="none">>>> Thanks once again.Raghu<br clear="none">>><br clear="none">>> For your use-case would it have to be Kerberos? Only options we've been considering are certificates and jwt/jws.<br clear="none">>><br clear="none">>>> From: Stian Thorgersen <<a href="mailto:stian@redhat.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>><br clear="none">>>> To: Raghu Prabhala <<a href="mailto:prabhalar@yahoo.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>><br clear="none">>>> Cc: keycloak dev <<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>>; keycloak-user<br clear="none">>>> <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br clear="none">>>> Sent: Friday, January 30, 2015 2:10 AM<br clear="none">>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released<br clear="none">>>><br clear="none">>>><br clear="none">>>><br clear="none">>>> ----- Original Message -----<br clear="none">>>>> From: "Raghu Prabhala" <<a href="mailto:prabhalar@yahoo.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>><br clear="none">>>>> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>><br clear="none">>>>> Cc: "keycloak dev" <<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>>, "keycloak-user"<br clear="none">>>>> <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br clear="none">>>>> Sent: Thursday, January 29, 2015 6:44:11 PM<br clear="none">>>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released<br clear="none">>>>><br clear="none">>>>> Congrats Keycloak team. A great deal of features in this release - really<br clear="none">>>>> like SAML and clustering.<br clear="none">>>>><br clear="none">>>>> But what I am really looking for is the next release as we need all the<br clear="none">>>>> features you listed -any tentative dates for the beta version?<br clear="none">>>><br clear="none">>>> We might do a beta soon, but that'll only include identity brokering. The<br clear="none">>>> other features will be at least a month away.<br clear="none">>>><br clear="none">>>>><br clear="none">>>>> The functionality provided so far seems to be targeted toward users<br clear="none">>>>> accounts.<br clear="none">>>>> When can we expect support for System accounts (with diff auth mechanisms<br clear="none">>>>> like certificates, Kerberos etc?<br clear="none">>>><br clear="none">>>> Some time this year we aim to have system accounts with certificates, it'll<br clear="none">>>> depend on priorities. We don't have any plans to support Kerberos<br clear="none">>>> authentication with system accounts, but maybe that makes sense to add as<br clear="none">>>> well.<br clear="none">>>><br clear="none">>>><br clear="none">>>><br clear="none">>>>><br clear="none">>>>> Thanks,<br clear="none">>>>> Raghu<br clear="none">>>>><br clear="none">>>>> Sent from my iPhone<br clear="none">>>>><br clear="none">>>>>> On Jan 29, 2015, at 2:11 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br clear="none">>>>>><br clear="none">>>>>> The Keycloak team is proud to announce the release of Keycloak<br clear="none">>>>>> 1.1.0.Final.<br clear="none">>>>>> Highlights in this release includes:<br clear="none">>>>>><br clear="none">>>>>> * SAML 2.0<br clear="none">>>>>> * Clustering<br clear="none">>>>>> * Jetty, Tomcat and Fuse adapters<br clear="none">>>>>> * HTTP Security Proxy<br clear="none">>>>>> * Automatic migration of db schema<br clear="none">>>>>><br clear="none">>>>>> We’re already started working on features for the next release. Some<br clear="none">>>>>> exiting features coming soon includes:<br clear="none">>>>>><br clear="none">>>>>> * Identity brokering<br clear="none">>>>>> * Custom user profiles<br clear="none">>>>>> * Kerberos<br clear="none">>>>>> * OpenID Connect interop<br clear="none">>>>>><br clear="none">>>>>> _______________________________________________<br clear="none">>>>>> keycloak-user mailing list<br clear="none">>>>>> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none">>>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" rel="nofollow" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">>>><br clear="none">>>><br clear="none">><br clear="none">> _______________________________________________<br clear="none">> keycloak-user mailing list<br clear="none">> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none">> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" rel="nofollow" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">><br clear="none"><br clear="none">-- <br clear="none">Bill Burke<br clear="none">JBoss, a division of Red Hat<br clear="none"><a href="http://bill.burkecentral.com/" target="_blank" rel="nofollow" shape="rect">http://bill.burkecentral.com</a><div class="yiv0228592185qtdSeparateBR"><br clear="none"><br clear="none"></div><div class="yiv0228592185yqt4918247891" id="yiv0228592185yqtfd78819"><br clear="none">_______________________________________________<br clear="none">keycloak-user mailing list<br clear="none"><a href="mailto:keycloak-user@lists.jboss.org" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none"><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" rel="nofollow" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div><br clear="none"><br clear="none"></div> </div> </div></div> </div></div></div><br><br></div> </div> </div> </div></body></html>