<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;
        mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m new to keycloak and we’re investigating using it within our University. In the first instance it would be used as a registration point for external users e.g. prospective students etc. They will either register via the form or using
social IdP’s in order to access various apps for these types of users. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We want to remain open to using Keycloak for our internal (AD / LDAP) users to authenticate to these same apps as well as corporate applications.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The tricky part comes where a prospective student (external identity) enrols and becomes a regular student (LDAP user). We would like them to continue to be recognised as a single identity and have their registered identities merged / linked
with their new internal id.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hoping someone might be able to provide some guidance on the best way to go. There are a few ideas I’ve been testing.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">One is to have a single keycloak realm for user registration and configure LDAP as a user federation source. However this would seem to rule out linking the accounts?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Another idea was to configure two realms (internal and external) and have the internal realm act as an IdP for the external realm.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Another option is to create three realms, internal, external and combined. The combined realm is used for SSO for all apps and the internal and external realms are configured to be IdP’s for the combined realm. I can’t help but feel this
is starting to get more complicated than is necessary.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any guidance or thoughts would be much appreciated.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards<o:p></o:p></p>
<p class="MsoNormal">Adam<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.5pt;color:black;mso-fareast-language:EN-AU">-- </span><span style="color:black;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;color:black;mso-fareast-language:EN-AU">Adam Keily</span><span style="color:black;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;color:black;mso-fareast-language:EN-AU">Risk & Security Services</span><span style="color:black;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;color:black;mso-fareast-language:EN-AU">The University of Adelaide</span><span style="color:black;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>