In this scenario, can a user be looked up out of band? Meaning, out of
band of the authentication process?
On 6/23/16 10:00 AM, Bruno Oliveira wrote:
Good morning,
One of the use case scenarios described for FreeIPA, is the integration via PAM
and SSSD, which "automagically" handles the authentication against the IdM.
This first step requires pretty much an IPA setup, but
works with libpam4j[1]. Now, thinking about Keycloak, I
would like to have an Authenticator for PAM[2], which is pretty much our
UsernamePasswordForm + PAM. Does it make sense?
Current flow:
* User logs into Web application with username/password
* PAM authenticator collects data and authenticate against PAM
* SSSD authenticates against IdM
* Authentication is complete
After the last step, should we propagate that user to our database?
Maybe, like Marek already mentioned, have a SSSDFederationProvider?
[1] -
http://search.maven.org/#artifactdetails%7Corg.abstractj%7Clibpam4j%7C1.9...
[2] -
https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-s...
--
abstractj
PGP: 0x84DC9914
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev