<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Right now you can federate user storage from one or more sources
(including keycloak storage). But, it has zero sophistication for
ordering other than whichever one is listed first. And there is no
SPI to plug into to do this. We hope to get back to feature
development soon, but we're currently busy polishing up our current
codebase.<br>
<br>
<div class="moz-cite-prefix">On 4/8/2016 11:47 AM, Jason Axley
wrote:<br>
</div>
<blockquote
cite="mid:03E7242B-F5FD-4593-84CC-26D8B8863A42@expedia.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>
<div>Assume these are the users in each realm:</div>
<div><br>
</div>
<div>realm1 : [ “jaxley”, “nancy” ]</div>
<div>realm2 : [ “<a class="moz-txt-link-freetext" href="LDAP:foouser@example.org”">LDAP:foouser@example.org”</a>,
“<a class="moz-txt-link-abbreviated" href="mailto:SAML:baruser@example.org">SAML:baruser@example.org</a>" ]</div>
<div> </div>
<div>
</div>
</div>
<div>If realm1 configuration == "Authenticate against realm2 with
fallback to local realm (realm1)”</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>AND
A User tries to log in, then authenticate the user against
realm2 first (internally); if the user is not found or fails,
try against the local realm realm1. If that succeeds, that is
the user and they are now authenticated.</div>
<div><br>
</div>
<div>Thus, if <a class="moz-txt-link-abbreviated" href="mailto:foouser@example.org">foouser@example.org</a> tried to log into realm1, they
would be tried in realm2 first (their home realm).</div>
<div>But if “jaxley” tried to log into realm1, an attempt would be
made against realm2 and fail (no “jaxley” there), then an
attempt against realm1 would be made. If that succeeds, that is
the user and they are now authenticated.</div>
<div><br>
</div>
<div>What I want to be able to do is to maintain a set of users
inside a Keycloak realm, but I want to still be able to create
multiple additional realms to represent different configurations
(e.g. Internal-facing vs. external-facing). The challenge is
how when applications use those additional realms to
authenticate can we seamlessly allow authentication in our
preferred order of searching. I’d hate to have the official
answer to be to use the APIs to write a login UI ourselves…</div>
<div><br>
</div>
<div>This kind of “preferred order of authentication sources”
capability as a declarative configuration option is a feature of
many commercial IdM and authentication tools. The conflict
between users with the same login ID across realms is either
resolved by fully qualifying the user IDs or using the search
order to make some sources weighted higher in the search path so
those win.</div>
<div><br>
</div>
<div>-Jason</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Stian Thorgersen
<<a moz-do-not-send="true"
href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>><br>
<span style="font-weight:bold">Reply-To: </span>"<a
moz-do-not-send="true" href="mailto:stian@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:stian@redhat.com">stian@redhat.com</a></a>"
<<a moz-do-not-send="true" href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Thursday, April
7, 2016 at 10:05 PM<br>
<span style="font-weight:bold">To: </span>Jason Axley <<a
moz-do-not-send="true" href="mailto:jaxley@expedia.com"><a class="moz-txt-link-abbreviated" href="mailto:jaxley@expedia.com">jaxley@expedia.com</a></a>><br>
<span style="font-weight:bold">Cc: </span>Marek Posolda <<a
moz-do-not-send="true" href="mailto:mposolda@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>>,
Sarp Kaya <<a moz-do-not-send="true"
href="mailto:akaya@expedia.com">akaya@expedia.com</a>>, "<a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[keycloak-user] SSO amongst two realms<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">Can you elaborate on how you imagine
"fallback to the local realm" would work?</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 7 April 2016 at 21:59, Jason
Axley <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:jaxley@expedia.com" target="_blank">jaxley@expedia.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div
style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>
<div>
<div>Could you possibly support “Authenticate by
default” with a “fallback to the local
realm”? It would be nice to have certain
users attached to a particular realm realm1
but have Keycloak internally attempt to
authenticate first against another realm so
you can get the effect of a union of the users
across the two realms. The user experience
with the federation buttons as an alternative
makes this configuration complexity exposed to
the user and I’d prefer to not have to do
that.</div>
<div><br>
</div>
<div>-Jason</div>
<div>
</div>
</div>
</div>
<div><br>
</div>
<span>
<div
style="font-family:Calibri;font-size:12pt;text-align:left;color:black;BORDER-BOTTOM:medium
none;BORDER-LEFT:medium
none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df
1pt solid;BORDER-RIGHT:medium
none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span><<a
moz-do-not-send="true"
href="mailto:keycloak-user-bounces@lists.jboss.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user-bounces@lists.jboss.org">keycloak-user-bounces@lists.jboss.org</a></a>>
on behalf of Marek Posolda <<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>><br>
<span style="font-weight:bold">Date: </span>Wednesday,
February 24, 2016 at 11:25 PM<br>
<span style="font-weight:bold">To: </span>Sarp
Kaya <<a moz-do-not-send="true"
href="mailto:akaya@expedia.com"
target="_blank">akaya@expedia.com</a>>, "<a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[keycloak-user] SSO amongst two realms<br>
</div>
<div>
<div class="h5">
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">
<div>It's possible to achieve something
like this with identity provider. You
can create identityProvider in realm2,
which will authenticate against realm1.
In that case, there will be button in
login screen of realm2 like "Login with
realm1" and when user clicks on this, he
will be logged-in automatically. There
is also possibility to use switch
"Authenticate by default" in identity
provider and then login screen of realm2
won't be shown, but instead it will
always automatically redirect to realm1
login screen.<br>
<br>
The thing is, that you will end with
duplicated user accounts (Account of
user "john" will be in both realm1 and
realm2). AFAIK we plan to improve this
in the future to have this use-case more
"friendly" as more people ask about
that.<br>
<br>
Marek <br>
<br>
On 25/02/16 01:39, Sarp Kaya wrote:<br>
</div>
<blockquote type="cite">
<div>Hi,</div>
<div><br>
</div>
<div>I want to know whether it is
possible to have SSO amongst two
realms. Ie User 1 logins to an app1
that auths against realm1, then user 1
tries to use app2 which auths against
realm2 which should work fine as user
1 logged into realm1 before and it
should SSO into app2 fine.</div>
<div><br>
</div>
<div>If this is possible then what would
be the setup like?</div>
<div><br>
</div>
<div>Kind Regards,</div>
<div>Sarp</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</div>
</span></div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</span>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>