<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>
<div>Could you possibly support “Authenticate by default” with a “fallback to the local realm”? It would be nice to have certain users attached to a particular realm realm1 but have Keycloak internally attempt to authenticate first against another realm so
you can get the effect of a union of the users across the two realms. The user experience with the federation buttons as an alternative makes this configuration complexity exposed to the user and I’d prefer to not have to do that.</div>
<div><br>
</div>
<div>-Jason</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE"></div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span><<a href="mailto:keycloak-user-bounces@lists.jboss.org">keycloak-user-bounces@lists.jboss.org</a>> on behalf of Marek Posolda <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Wednesday, February 24, 2016 at 11:25 PM<br>
<span style="font-weight:bold">To: </span>Sarp Kaya <<a href="mailto:akaya@expedia.com">akaya@expedia.com</a>>, "<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>" <<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] SSO amongst two realms<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">It's possible to achieve something like this with identity provider. You can create identityProvider in realm2, which will authenticate against realm1. In that case, there will be button in login screen of realm2 like "Login with
realm1" and when user clicks on this, he will be logged-in automatically. There is also possibility to use switch "Authenticate by default" in identity provider and then login screen of realm2 won't be shown, but instead it will always automatically redirect
to realm1 login screen.<br>
<br>
The thing is, that you will end with duplicated user accounts (Account of user "john" will be in both realm1 and realm2). AFAIK we plan to improve this in the future to have this use-case more "friendly" as more people ask about that.<br>
<br>
Marek <br>
<br>
On 25/02/16 01:39, Sarp Kaya wrote:<br>
</div>
<blockquote cite="mid:D2F48A58.2D31%25akaya@expedia.com" type="cite">
<div>Hi,</div>
<div><br>
</div>
<div>I want to know whether it is possible to have SSO amongst two realms. Ie User 1 logins to an app1 that auths against realm1, then user 1 tries to use app2 which auths against realm2 which should work fine as user 1 logged into realm1 before and it should
SSO into app2 fine.</div>
<div><br>
</div>
<div>If this is possible then what would be the setup like?</div>
<div><br>
</div>
<div>Kind Regards,</div>
<div>Sarp</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</div>
</span>
</body>
</html>