<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 18 December 2015 at 09:44, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div>On 18/12/15 09:39, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 18 December 2015 at 09:35, Marek
Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<div>On 18/12/15 08:23, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">The best solution to that is either
the ability to share users between realms or more
likely the ability to define a SSO group within a
realm. Each SSO group would have independent SSO
sessions and could also have separate themes
associated with it. It's not something we have
resources for right now though. <br>
</div>
</blockquote>
</span> I wonder if we can have something like
"different-realm-user-federation-provider" ? We had
something like this in the early days of Keycloak.<br>
<br>
For example, if you have 2 realms "blueRealm" and
"greenRealm" . The greenRealm will have defined
federation provider, which will delegate retrieving
users to blueRealm. Then all applications configured
against greenRealm will see green login screen, but they
will be able to authenticate with users+passwords from
blueRealm. <br>
</div>
</blockquote>
<div><br>
</div>
<div>That's not very elegant at least not ATM as we would
end up duplicating the users in the DB.</div>
</div>
</div>
</div>
</blockquote></span>
Yeah. Once we address in-memory federation, it's going to be better
though. Might be easier then introduce brand new concept of SSO
groups within realm.</div></blockquote><div><br></div><div>I think SSO groups would be useful. User federation doesn't allow sharing anything besides users. You may for instance have a bunch of services and a a few internal apps, but one external app. You'd like the external app to be able to call services, but not be part of the internal SSO.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><span class="HOEnZb"><font color="#888888"><br>
<br>
Marek</font></span><div><div class="h5"><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span><font color="#888888"> <br>
Marek</font></span>
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Simply displaying a different theme
per-client just doesn't make any sense at all.
Users log-in to a SSO realm, not an individual
client. So I'm against adding something like
that unless we add the ability to log-in to
clients or groups of clients individually.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 18 December 2015 at
03:08, Raghuram Prabhala <span dir="ltr"><<a href="mailto:prabhalar@yahoo.com" target="_blank"></a><a href="mailto:prabhalar@yahoo.com" target="_blank">prabhalar@yahoo.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div style="color:#000;background-color:#fff;font-family:Courier New,courier,monaco,monospace,sans-serif;font-size:13px">
<div>Pe</div>
<br>
<div>It depends upon the application
that the user accesses. We have
several scenarios where the same set
of users login to different
applications in different divisions,
some internet facing that have a
totally different look from our
intranet ones and it also depends upon
whether the applications look for
multi factor authentication as well.</div>
<div><br>
</div>
<div>This is a very common scenario - We
typically have different themes
presented to the users based on what
the client applications request
(different themes can be requested
utilizing different http parameters)</div>
<div><br>
</div>
<div dir="ltr">Perhaps we can define
different realms for different themes
but it becomes very cumbersome<br>
</div>
<div><br>
</div>
<div><br>
<br>
</div>
<div style="display:block">
<div style="font-family:Courier New,courier,monaco,monospace,sans-serif;font-size:13px">
<div style="font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px">
<div dir="ltr"> <font face="Arial" size="2"><span>
<hr size="1"> <b><span style="font-weight:bold">From:</span></b>
Stian Thorgersen <<a href="mailto:sthorger@redhat.com" target="_blank"></a><a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>><br>
</span><b><span style="font-weight:bold">To:</span></b>
Raghuram Prabhala <<a href="mailto:prabhalar@yahoo.com" target="_blank"></a><a href="mailto:prabhalar@yahoo.com" target="_blank">prabhalar@yahoo.com</a>>
<br>
<b><span style="font-weight:bold">Cc:</span></b>
Revanth Ayalasomayajula <<a href="mailto:revanth@arvindinternet.com" target="_blank"></a><a href="mailto:revanth@arvindinternet.com" target="_blank">revanth@arvindinternet.com</a>>;
keycloak-user <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank"></a><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
<b><span style="font-weight:bold">Sent:</span></b>
Thursday, December 17, 2015
9:28 AM
<div>
<div><br>
<b><span style="font-weight:bold">Subject:</span></b>
Re: [keycloak-user]
Different theme for each
client<br>
</div>
</div>
</font> </div>
<div>
<div>
<div><br>
<div>
<div>
<div dir="ltr"><br clear="none">
<div><br clear="none">
<div>On 17 December
2015 at 14:44,
Raghuram Prabhala
<span dir="ltr"><<a href="mailto:prabhalar@yahoo.com" target="_blank"></a><a href="mailto:prabhalar@yahoo.com" target="_blank">prabhalar@yahoo.com</a>></span>
wrote:<br clear="none">
<blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div style="color:#000;background-color:#fff;font-family:Courier New,courier,monaco,monospace,sans-serif;font-size:13px">
<div dir="ltr"><span>Stian
- Even we have
a similar
requirement of
having
different
themes, but
for different
divisions
within the
firm. Some of
them have
additional
functionality
of changing
even the
password. Can
you suggest
some way of
achieving the
above
functionality
considering
that all the
other
functionality
is the same
for all
divisions?</span></div>
</div>
</div>
</blockquote>
<div><br clear="none">
</div>
<div>Not actually
sure what you
mean here. It
just doesn't
make sense to
show a user two
login pages that
look different
(and possible
have different
things
enabled/disable)
if they use the
same realm and
SSO session.</div>
<div>
<div> </div>
<blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div style="color:#000;background-color:#fff;font-family:Courier New,courier,monaco,monospace,sans-serif;font-size:13px">
<div dir="ltr"><span><br clear="none">
</span></div>
<div dir="ltr"><span>Thanks,</span></div>
<div dir="ltr"><span>Raghu</span></div>
<div><br clear="none">
</div>
<div style="display:block">
<div style="font-family:Courier New,courier,monaco,monospace,sans-serif;font-size:13px">
<div style="font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px">
<div dir="ltr">
<font face="Arial" size="2"> </font>
<hr size="1">
<b><span style="font-weight:bold">From:</span></b>
Stian
Thorgersen
<<a href="mailto:sthorger@redhat.com" target="_blank"></a><a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>><br clear="none">
<b><span style="font-weight:bold">To:</span></b>
Revanth
Ayalasomayajula
<<a href="mailto:revanth@arvindinternet.com" target="_blank"></a><a href="mailto:revanth@arvindinternet.com" target="_blank">revanth@arvindinternet.com</a>>
<br clear="none">
<b><span style="font-weight:bold">Cc:</span></b>
keycloak-user
<<a href="mailto:keycloak-user@lists.jboss.org" target="_blank"></a><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br clear="none">
<b><span style="font-weight:bold">Sent:</span></b>
Thursday,
December 17,
2015 8:05 AM<br clear="none">
<b><span style="font-weight:bold">Subject:</span></b>
Re:
[keycloak-user]
Different
theme for each
client<br clear="none">
</div>
<div>
<div>
<div><br clear="none">
<div>
<div>
<div dir="ltr">Having
different
clients login
to the same
SSO realm with
different
branded login
pages just
doesn't make
sense. If we
add the
concept of a
SSO
domain/zone or
something
within a
realm, where a
group of
clients have
separate
themes and SSO
session that
would make
sense.</div>
<div><br clear="none">
<div>
<div>On 15
December 2015
at 12:14,
Revanth
Ayalasomayajula
<span dir="ltr"><<a href="mailto:revanth@arvindinternet.com" target="_blank"></a><a href="mailto:revanth@arvindinternet.com" target="_blank">revanth@arvindinternet.com</a>></span>
wrote:<br clear="none">
<blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">+1
for this
feature.</div>
<div style="max-height:1px"><img style="width:0px;max-height:0px;overflow:hidden"><font size="1" color="#ffffff">ᐧ</font></div>
<div><br clear="none">
<div>
<div>
<div>On Tue,
Dec 15, 2015
at 4:39 PM,
Helder dos S.
Alves <span dir="ltr"><<a href="mailto:helder.jaspion@gmail.com" target="_blank"></a><a href="mailto:helder.jaspion@gmail.com" target="_blank">helder.jaspion@gmail.com</a>></span>
wrote:<br clear="none">
</div>
</div>
<blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div dir="ltr">
<div>Hi.</div>
<div><br clear="none">
</div>
<div>I need to
have a
different
theme for each
of the clients
of a realm.</div>
<div>If a user
came from one
client, I have
to show a
keycloak page
with the logo
and skin of
that client.</div>
<div>Is it
possible with
Keycloak? How?</div>
<div><br clear="none">
</div>
<div>Thanks in
advance.</div>
<span></span>
<div><br clear="none">
</div>
<br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">Helder
S. Alves<br clear="none">
</div>
</div>
</div>
</div>
</div>
</div>
<br clear="none">
</div>
</div>
_______________________________________________<br clear="none">
keycloak-user
mailing list<br clear="none">
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank"></a><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br clear="none">
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank"></a><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">
</blockquote>
</div>
<br clear="none">
</div>
<br clear="none">
_______________________________________________<br clear="none">
keycloak-user
mailing list<br clear="none">
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank"></a><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br clear="none">
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank"></a><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">
</blockquote>
</div>
<br clear="none">
</div>
</div>
</div>
</div>
<br clear="none">
<div>_______________________________________________<br clear="none">
keycloak-user
mailing list<br clear="none">
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank"></a><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br clear="none">
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank"></a><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<div><br clear="none">
</div>
</div>
</div>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div></div>