<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div><span></span></div>That's great Bill. Can't wait to try out the claims piece. I will send out a separate email with my feedback.<br> <div id="yui_3_16_0_1_1424035773495_2429" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1424035773495_2428" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1424035773495_2427" dir="ltr"> <hr size="1" id="yui_3_16_0_1_1424035773495_2452"> <font id="yui_3_16_0_1_1424035773495_2430" face="Arial" size="2"> <b><span style="font-weight: bold;">From:</span></b> Bill Burke <bburke@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> Raghu Prabhala <prabhalar@yahoo.com>; "keycloak-user@lists.jboss.org" <keycloak-user@lists.jboss.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Sunday, February 15, 2015 11:33 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [keycloak-user] Keycloak 1.1.0.Final Released<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1424035773495_2431"><br>Working on claims right now. Should have something end of next week.<br clear="none"><br clear="none">Can you think of anything that would make kerberos or any other feature <br clear="none">easier to configure or use? Your feedback would be a great help.<br clear="none"><br clear="none">On 2/14/2015 5:03 PM, Raghu Prabhala wrote:<br clear="none">> Bill - Just wanted to let you know the Identity Broker currently being<br clear="none">> built meets my requirements. I have successfully tested out a complex<br clear="none">> scenario (given below) involving both SPNEGO as well as SAML Service<br clear="none">> Provider functionality<br clear="none">><br clear="none">> 1) KC on two hosts acting as SAML IDP using SPNEGO as Identity Broker.<br clear="none">> 2) KC on another host acting as SAML SP communicating with IDP (Point<br clear="none">> 1) and a client using OpenID Connect (Point 3)<br clear="none">> 3) A Client application communicating with KC (refer to Point 2) using<br clear="none">> OpenID Connect<br clear="none">><br clear="none">> Any user accessing the client application will now be seamlessly<br clear="none">> authenticated without entering password. Now I am looking for the<br clear="none">> "custom profiles" functionality which would help me move forward. Just<br clear="none">> to reiterate my requirement - once the user is authenticated, I would<br clear="none">> like to make a LDAP call (in some cases multiple calls to different<br clear="none">> repositories) to retrieve all user information that should eventually be<br clear="none">> populated in the SAML claims or OIDC id_token selectively.<br clear="none">><br clear="none">> A big thank you to you and the entire dev team for accommodating our<br clear="none">> requests :-). Great Job!!!<br clear="none">><br clear="none">> Regards,<br clear="none">> Raghu<br clear="none">> ------------------------------------------------------------------------<br clear="none">> *From:* Raghu Prabhala <<a href="mailto:prabhalar@yahoo.com" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>><br clear="none">> *To:* Bill Burke <<a href="mailto:bburke@redhat.com" shape="rect" ymailto="mailto:bburke@redhat.com">bburke@redhat.com</a>>; "<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>"<br clear="none">> <<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br clear="none">> *Sent:* Monday, February 9, 2015 8:13 AM<br clear="none">> *Subject:* Re: [keycloak-user] Keycloak 1.1.0.Final Released<br clear="none">><br clear="none">> I think that would satisfy my requirements - but not sure until I see<br clear="none">> that bridge along with the Identity broker functionality in the next<br clear="none">> beta release - eagerly waiting for it.<br clear="none">><br clear="none">><br clear="none">> ------------------------------------------------------------------------<br clear="none">> *From:* Bill Burke <<a href="mailto:bburke@redhat.com" shape="rect" ymailto="mailto:bburke@redhat.com">bburke@redhat.com</a>><br clear="none">> *To:* <a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none">> *Sent:* Friday, February 6, 2015 10:21 AM<br clear="none">> *Subject:* Re: [keycloak-user] Keycloak 1.1.0.Final Released<br clear="none">><br clear="none">> Keycloak won't be a kerberos server any time soon, if ever. We are<br clear="none">> creating a SAML/OIDC to kerberos bridge though.<br clear="none">><br clear="none">> On 1/30/2015 10:52 AM, Raghu Prabhala wrote:<br clear="none">> > Unfortunately yes. Kerberos is deeply ingrained in most of internal<br clear="none">> applications/processes. While we can ask any new applications to use<br clear="none">> certificates, we have to support Kerberos.<br clear="none">> ><br clear="none">> > If that is not something that you will support, probably identity<br clear="none">> brokering would help. I can write a Kerberos broker as long as it is<br clear="none">> given control ( need http request) immediately by Keycloak, perhaps I<br clear="none">> can handle both authentication with key tabs (for system accts) as well<br clear="none">> as SPNEGO for users<br clear="none">> ><br clear="none">> > Sent from my iPhone<br clear="none">> ><br clear="none">> >> On Jan 30, 2015, at 9:01 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a><br clear="none">> <mailto:<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>>> wrote:<br clear="none">> >><br clear="none">> >><br clear="none">> >><br clear="none">> >> ----- Original Message -----<br clear="none">> >>> From: "Raghu Prabhala" <<a href="mailto:prabhalar@yahoo.com" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a><br clear="none">> <mailto:<a href="mailto:prabhalar@yahoo.com" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>>><br clear="none">> >>> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a> <mailto:<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>>><br clear="none">> >>> Cc: "keycloak dev" <<a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br clear="none">> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>>>, "keycloak-user"<br clear="none">> <<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>>><br clear="none">> >>> Sent: Friday, 30 January, 2015 2:44:14 PM<br clear="none">> >>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released<br clear="none">> >>><br clear="none">> >>> Great. Looking forward to the 1.2 Beta version.<br clear="none">> >>> Regarding the system account support, from my perspective, it is very<br clear="none">> >>> important because we have thousands of applications that interact<br clear="none">> with each<br clear="none">> >>> other using system accounts (authentication with Kerberos with<br clear="none">> keytabs) and<br clear="none">> >>> till we have that functionality, we will not be able to consider<br clear="none">> Keycloak as<br clear="none">> >>> a SSO solution even though it is coming out to be a good product.<br clear="none">> The sooner<br clear="none">> >>> we have it, the better. Hopefully, even other users will pitch in<br clear="none">> to request<br clear="none">> >>> that functionality so that you can bump it up in your priority list.<br clear="none">> >>> Thanks once again.Raghu<br clear="none">> >><br clear="none">> >> For your use-case would it have to be Kerberos? Only options we've<br clear="none">> been considering are certificates and jwt/jws.<br clear="none">> >><br clear="none">> >>> From: Stian Thorgersen <<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a><br clear="none">> <mailto:<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>>><br clear="none">> >>> To: Raghu Prabhala <<a href="mailto:prabhalar@yahoo.com" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a> <mailto:<a href="mailto:prabhalar@yahoo.com" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>>><br clear="none">> >>> Cc: keycloak dev <<a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br clear="none">> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>>>; keycloak-user<br clear="none">> >>> <<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>>><br clear="none">> >>> Sent: Friday, January 30, 2015 2:10 AM<br clear="none">> >>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released<br clear="none">> >>><br clear="none">> >>><br clear="none">> >>><br clear="none">> >>> ----- Original Message -----<br clear="none">> >>>> From: "Raghu Prabhala" <<a href="mailto:prabhalar@yahoo.com" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a><br clear="none">> <mailto:<a href="mailto:prabhalar@yahoo.com" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>>><br clear="none">> >>>> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a> <mailto:<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>>><br clear="none">> >>>> Cc: "keycloak dev" <<a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br clear="none">> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>>>, "keycloak-user"<br clear="none">> >>>> <<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>>><br clear="none">> >>>> Sent: Thursday, January 29, 2015 6:44:11 PM<br clear="none">> >>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released<br clear="none">> >>>><br clear="none">> >>>> Congrats Keycloak team. A great deal of features in this release -<br clear="none">> really<br clear="none">> >>>> like SAML and clustering.<br clear="none">> >>>><br clear="none">> >>>> But what I am really looking for is the next release as we need<br clear="none">> all the<br clear="none">> >>>> features you listed -any tentative dates for the beta version?<br clear="none">> >>><br clear="none">> >>> We might do a beta soon, but that'll only include identity<br clear="none">> brokering. The<br clear="none">> >>> other features will be at least a month away.<br clear="none">> >>><br clear="none">> >>>><br clear="none">> >>>> The functionality provided so far seems to be targeted toward users<br clear="none">> >>>> accounts.<br clear="none">> >>>> When can we expect support for System accounts (with diff auth<br clear="none">> mechanisms<br clear="none">> >>>> like certificates, Kerberos etc?<br clear="none">> >>><br clear="none">> >>> Some time this year we aim to have system accounts with<br clear="none">> certificates, it'll<br clear="none">> >>> depend on priorities. We don't have any plans to support Kerberos<br clear="none">> >>> authentication with system accounts, but maybe that makes sense to<br clear="none">> add as<br clear="none">> >>> well.<br clear="none">> >>><br clear="none">> >>><br clear="none">> >>><br clear="none">> >>>><br clear="none">> >>>> Thanks,<br clear="none">> >>>> Raghu<br clear="none">> >>>><br clear="none">> >>>> Sent from my iPhone<br clear="none">> >>>><br clear="none">> >>>>> On Jan 29, 2015, at 2:11 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a><br clear="none">> <mailto:<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>>> wrote:<br clear="none">> >>>>><br clear="none">> >>>>> The Keycloak team is proud to announce the release of Keycloak<br clear="none">> >>>>> 1.1.0.Final.<br clear="none">> >>>>> Highlights in this release includes:<br clear="none">> >>>>><br clear="none">> >>>>> * SAML 2.0<br clear="none">> >>>>> * Clustering<br clear="none">> >>>>> * Jetty, Tomcat and Fuse adapters<br clear="none">> >>>>> * HTTP Security Proxy<br clear="none">> >>>>> * Automatic migration of db schema<br clear="none">> >>>>><br clear="none">> >>>>> We’re already started working on features for the next release. Some<br clear="none">> >>>>> exiting features coming soon includes:<br clear="none">> >>>>><br clear="none">> >>>>> * Identity brokering<br clear="none">> >>>>> * Custom user profiles<br clear="none">> >>>>> * Kerberos<br clear="none">> >>>>> * OpenID Connect interop<br clear="none">> >>>>><br clear="none">> >>>>> _______________________________________________<br clear="none">> >>>>> keycloak-user mailing list<br clear="none">> >>>>> <a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br clear="none">> >>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">> >>><br clear="none">> >>><br clear="none">> ><br clear="none">> > _______________________________________________<br clear="none">> > keycloak-user mailing list<br clear="none">> > <a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br clear="none">> > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">> ><br clear="none">><br clear="none">> --<br clear="none">> Bill Burke<br clear="none">> JBoss, a division of Red Hat<br clear="none">> <a href="http://bill.burkecentral.com/" target="_blank" shape="rect">http://bill.burkecentral.com </a><<a href="http://bill.burkecentral.com/" target="_blank" shape="rect">http://bill.burkecentral.com/</a>><br clear="none">><br clear="none">><br clear="none">><br clear="none">> _______________________________________________<br clear="none">> keycloak-user mailing list<br clear="none">> <a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><div class="qtdSeparateBR"><br><br></div><div class="yqt5256110087" id="yqtfd83094"><br clear="none">> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">><br clear="none">><br clear="none">><br clear="none">><br clear="none"><br clear="none">-- <br clear="none">Bill Burke<br clear="none">JBoss, a division of Red Hat<br clear="none"><a href="http://bill.burkecentral.com/" target="_blank" shape="rect">http://bill.burkecentral.com</a><br clear="none"></div><br><br></div> </div> </div> </div></body></html>