When it comes to enterprises I think having multiple options to best integrate into
whatever ecosystem they already have in place.
With that in mind, when possible I think syncing to/from LDAP would be great. Keycloak
store would in most cases provide more information than the LDAP store in those cases. For
example role mappings.
If we design a sync SPI that would allow users to do their own to integrate with whatever
they currently have. Be it LDAP, a relational database, or any other solutions. The SPI
could have a read only, as well as a read/write option.
Also I think it makes sense to add support auth brokering. Again through an auth SPI. I
imagine this would work by letting a realm use a different source to validate credentials.
A very crude auth SPI could look like:
public boolean isAuthenticated(String username, Credential... credentials) {
}
Some auth providers could only work for some credentials. For example an LDAP could be
used to verify the username/password, then Keycloak to verify TOTP, while roles and other
user profile data retrieve from the Keycloak store.
The same auth SPI could be used to add support for additional OTP mechanisms (email, smtp,
yubikey, you name it).
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Monday, 27 January, 2014 5:12:48 PM
Subject: [keycloak-dev] can we get away with federating user/cred only?
Can we get away with federating user and credentials only? Only store
those in LDAP/AD? Would sure make our lives a lot easier and this may
cover 80% of deployments that need it?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev