4:15 p.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 14 March, 2014 2:12:20 PM
Subject: Re: [keycloak-dev] LDAP integration
Don't we need to have LDAP as a user store? Won't companies have a user
LDAP store they want to point Keycloak to? If you have an Auth SPI
only, then you'll still need to register the users with Keycloak.
The idea with the authentication would be similar to social login. On first login a user
would be created internally in Keycloak, and there would be a link to the user in LDAP. It
would provide us with something relatively simple without the fuzz. Social login requires
registration to be enabled for new users, but that shouldn't be required to create
users that "links" to an LDAP store.
We can even investigate allowing multiple authentication providers for a single realm. For
example if a user exist in Keycloak you can check if there is a LDAP link, if there is
authenticate with LDAP, otherwise with Keycloak. If no user exist, check with the other
configured authentication providers if one exists.
In the second round we can worry about syncing, or alternatively by using LDAP directly
for users/role-mappings. I'm not 100% convinced, but I believe the syncing approach is
the simpler and probably better solution to "federation".
On 3/14/2014 9:12 AM, Stian Thorgersen wrote:
> For the first round of LDAP integration we will only focus on
> authenticating with LDAP.
>
> This will work by adding an Authentication SPI. It will provide two
> methods, verify user password and update user password. We'll have two
> implementations of this, Keycloak Model and LDAP (via PicketLink).
>
> It should be possible to configure which Authentication SPI provider is
> used by a Realm through the admin console. This will include setting up
> configuration for the LDAP server.
>
> Second round (which will have a low priority for beta1, so will most likely
> be postponed to after the 1.0.Final) will be to add a Sync SPI. This will
> support one-way and two-way of syncing data from an external resource into
> the Keycloak model. It will support resource that allows registering
> listeners for events (for near real-time syncing) as well as interval
> based pulling when this is not possible.
>
>
> JIRA issue for this is: https://issues.jboss.org/browse/KEYCLOAK-316
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev