2:56 p.m.
If I am reading
https://github.com/keycloak/keycloak/blob/master/social/google/src/main/j...
correctly, the only thing needed for a Keycloak social login is a URL to a login page that
the user can be directed to when they are not logged in, and to have that login page send
back a response that Keycloak can use to verify the user and get their details.
So if I had appropriate permissions to use https://saml.redhat.com/idp/, could that be
added as a social login?
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Engineering Content Services
Brisbane, Australia
6:30 a.m.
In theory that should work. The social login feature at the moment has only been tested
for OAuth and OAuth2 providers, so may need some tweaking for a SAML provider.
We're also assuming that a social provider is able to retrieve a basic user profile
(https://github.com/keycloak/keycloak/blob/master/social/google/src/main/j...),
but you could just return a username and require users to update their profile on first
social login ("Update profile on first social login" option on realm settings in
admin console).
In the future we plan to provide support for federation of authentication (other Keycloak
realms, SAML, LDAP, etc.), but this is a good way to get something working with what
Keycloak provides at the moment.
By the way at the moment the admin console has a hard-coded list of social providers, but
in the next release this will be dynamic. So all you'd need is to add a jar that
implements the social provider spi, and it will be available to configure it for a realm
through the admin console.
----- Original Message -----
From: "Matt Casperson" <mcaspers(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Sunday, 2 February, 2014 8:56:48 PM
Subject: [keycloak-dev] SAML as social login?
If I am reading
https://github.com/keycloak/keycloak/blob/master/social/google/src/main/j...
correctly, the only thing needed for a Keycloak social login is a URL to a
login page that the user can be directed to when they are not logged in, and
to have that login page send back a response that Keycloak can use to verify
the user and get their details.
So if I had appropriate permissions to use https://saml.redhat.com/idp/,
could that be added as a social login?
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Engineering Content Services
Brisbane, Australia
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:26 a.m.
I guess this would be interesting in the case where your federated IDP
didn't have role and session mgmt, single sign off, oauth/openid connect
support? Would Keycloak offer enough value add in this scenario?
On 2/4/2014 7:30 AM, Stian Thorgersen wrote:
In theory that should work. The social login feature at the moment
has only been tested for OAuth and OAuth2 providers, so may need some tweaking for a SAML
provider.
We're also assuming that a social provider is able to retrieve a basic user profile
(https://github.com/keycloak/keycloak/blob/master/social/google/src/main/j...),
but you could just return a username and require users to update their profile on first
social login ("Update profile on first social login" option on realm settings in
admin console).
In the future we plan to provide support for federation of authentication (other Keycloak
realms, SAML, LDAP, etc.), but this is a good way to get something working with what
Keycloak provides at the moment.
By the way at the moment the admin console has a hard-coded list of social providers, but
in the next release this will be dynamic. So all you'd need is to add a jar that
implements the social provider spi, and it will be available to configure it for a realm
through the admin console.
----- Original Message -----
> From: "Matt Casperson" <mcaspers(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Sunday, 2 February, 2014 8:56:48 PM
> Subject: [keycloak-dev] SAML as social login?
>
> If I am reading
>
https://github.com/keycloak/keycloak/blob/master/social/google/src/main/j...
> correctly, the only thing needed for a Keycloak social login is a URL to a
> login page that the user can be directed to when they are not logged in, and
> to have that login page send back a response that Keycloak can use to verify
> the user and get their details.
>
> So if I had appropriate permissions to use https://saml.redhat.com/idp/,
> could that be added as a social login?
>
> Regards
>
> Matthew Casperson
> RHCE, RHCJA # 111-072-237
> Engineering Content Services
> Brisbane, Australia
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:29 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 4 February, 2014 3:26:49 PM
Subject: Re: [keycloak-dev] SAML as social login?
I guess this would be interesting in the case where your federated IDP
didn't have role and session mgmt, single sign off, oauth/openid connect
support? Would Keycloak offer enough value add in this scenario?
Anything to prevent users from having to maintain multiple usernames and passwords is a
good thing IMO
On 2/4/2014 7:30 AM, Stian Thorgersen wrote:
> In theory that should work. The social login feature at the moment has only
> been tested for OAuth and OAuth2 providers, so may need some tweaking for
> a SAML provider.
>
> We're also assuming that a social provider is able to retrieve a basic user
> profile
>
(https://github.com/keycloak/keycloak/blob/master/social/google/src/main/j...),
> but you could just return a username and require users to update their
> profile on first social login ("Update profile on first social login"
> option on realm settings in admin console).
>
> In the future we plan to provide support for federation of authentication
> (other Keycloak realms, SAML, LDAP, etc.), but this is a good way to get
> something working with what Keycloak provides at the moment.
>
> By the way at the moment the admin console has a hard-coded list of social
> providers, but in the next release this will be dynamic. So all you'd need
> is to add a jar that implements the social provider spi, and it will be
> available to configure it for a realm through the admin console.
>
> ----- Original Message -----
>> From: "Matt Casperson" <mcaspers(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Sunday, 2 February, 2014 8:56:48 PM
>> Subject: [keycloak-dev] SAML as social login?
>>
>> If I am reading
>>
https://github.com/keycloak/keycloak/blob/master/social/google/src/main/j...
>> correctly, the only thing needed for a Keycloak social login is a URL to a
>> login page that the user can be directed to when they are not logged in,
>> and
>> to have that login page send back a response that Keycloak can use to
>> verify
>> the user and get their details.
>>
>> So if I had appropriate permissions to use https://saml.redhat.com/idp/,
>> could that be added as a social login?
>>
>> Regards
>>
>> Matthew Casperson
>> RHCE, RHCJA # 111-072-237
>> Engineering Content Services
>> Brisbane, Australia
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:35 a.m.
On 2/4/2014 10:29 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, 4 February, 2014 3:26:49 PM
> Subject: Re: [keycloak-dev] SAML as social login?
>
> I guess this would be interesting in the case where your federated IDP
> didn't have role and session mgmt, single sign off, oauth/openid connect
> support? Would Keycloak offer enough value add in this scenario?
Anything to prevent users from having to maintain multiple usernames and passwords is a
good thing IMO
I'm saying that why would you use Keycloak if you already had a SAML
IDP? Does Keycloak provide enough additional value-add in that scenario
to justify us making a SAML "social" connector a priority?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:49 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 4 February, 2014 3:35:08 PM
Subject: Re: [keycloak-dev] SAML as social login?
On 2/4/2014 10:29 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 4 February, 2014 3:26:49 PM
>> Subject: Re: [keycloak-dev] SAML as social login?
>>
>> I guess this would be interesting in the case where your federated IDP
>> didn't have role and session mgmt, single sign off, oauth/openid connect
>> support? Would Keycloak offer enough value add in this scenario?
>
> Anything to prevent users from having to maintain multiple usernames and
> passwords is a good thing IMO
>
I'm saying that why would you use Keycloak if you already had a SAML
IDP? Does Keycloak provide enough additional value-add in that scenario
to justify us making a SAML "social" connector a priority?
I think it's a nice feature to allow users login with their account on a different
provider (whether or not its a KC realm, Google+, or a SAML IDP).
Also, shouldn't jboss.org be counted as one of the social "networks" we
support? I think adding some more professional social networks such as LinkedIn, GitHub
and jboss.org! would be good.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:57 p.m.
The value KeyCloak offers us (if I understand correctly) is that we can build applications
against KeyCloak and not have to worry about where the users details eventually come from.
In our local deployment, KeyCloak might be nothing more than a middleman between our
application and an existing SSO solution. But it is nice to be able to support other
deployment scenarios where KeyCloak is used as a complete and independent security
solution, with no changes to our code.
So it is very valuable to us to have a project like KeyCloak providing a sliding scale
solution from "just bouncing messages between the browser and the existing user
database" to "we have no existing user database, so KeyCloak has to do
everything" with little more than a few toggles in a UI.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Engineering Content Services
Brisbane, Australia
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 5 February, 2014 1:26:49 AM
Subject: Re: [keycloak-dev] SAML as social login?
I guess this would be interesting in the case where your federated IDP
didn't have role and session mgmt, single sign off, oauth/openid connect
support? Would Keycloak offer enough value add in this scenario?
On 2/4/2014 7:30 AM, Stian Thorgersen wrote:
In theory that should work. The social login feature at the moment
has only been tested for OAuth and OAuth2 providers, so may need some tweaking for a SAML
provider.
We're also assuming that a social provider is able to retrieve a basic user profile
(https://github.com/keycloak/keycloak/blob/master/social/google/src/main/j...),
but you could just return a username and require users to update their profile on first
social login ("Update profile on first social login" option on realm settings in
admin console).
In the future we plan to provide support for federation of authentication (other Keycloak
realms, SAML, LDAP, etc.), but this is a good way to get something working with what
Keycloak provides at the moment.
By the way at the moment the admin console has a hard-coded list of social providers, but
in the next release this will be dynamic. So all you'd need is to add a jar that
implements the social provider spi, and it will be available to configure it for a realm
through the admin console.
----- Original Message -----
> From: "Matt Casperson" <mcaspers(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Sunday, 2 February, 2014 8:56:48 PM
> Subject: [keycloak-dev] SAML as social login?
>
> If I am reading
>
https://github.com/keycloak/keycloak/blob/master/social/google/src/main/j...
> correctly, the only thing needed for a Keycloak social login is a URL to a
> login page that the user can be directed to when they are not logged in, and
> to have that login page send back a response that Keycloak can use to verify
> the user and get their details.
>
> So if I had appropriate permissions to use https://saml.redhat.com/idp/,
> could that be added as a social login?
>
> Regards
>
> Matthew Casperson
> RHCE, RHCJA # 111-072-237
> Engineering Content Services
> Brisbane, Australia
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:06 p.m.
Thanks for the input!
On 2/4/2014 3:57 PM, Matt Casperson wrote:
The value KeyCloak offers us (if I understand correctly) is that we
can
build applications against KeyCloak and not have to worry about where
the users details eventually come from. In our local deployment,
KeyCloak might be nothing more than a middleman between our application
and an existing SSO solution. But it is nice to be able to support other
deployment scenarios where KeyCloak is used as a complete and
independent security solution, with no changes to our code.
So it is very valuable to us to have a project like KeyCloak providing a
sliding scale solution from "just bouncing messages between the browser
and the existing user database" to "we have no existing user database,
so KeyCloak has to do everything" with little more than a few toggles in
a UI.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
<https://www.redhat.com/wapps/training/certification/verify.html?certNumbe...
Engineering Content Services
Brisbane, Australia
------------------------------------------------------------------------
*From: *"Bill Burke" <bburke(a)redhat.com>
*To: *keycloak-dev(a)lists.jboss.org
*Sent: *Wednesday, 5 February, 2014 1:26:49 AM
*Subject: *Re: [keycloak-dev] SAML as social login?
I guess this would be interesting in the case where your federated IDP
didn't have role and session mgmt, single sign off, oauth/openid connect
support? Would Keycloak offer enough value add in this scenario?
On 2/4/2014 7:30 AM, Stian Thorgersen wrote:
> In theory that should work. The social login feature at the moment
has only been tested for OAuth and OAuth2 providers, so may need some
tweaking for a SAML provider.
>
> We're also assuming that a social provider is able to retrieve a
basic user profile
(https://github.com/keycloak/keycloak/blob/master/social/google/src/main/j...),
but you could just return a username and require users to update their
profile on first social login ("Update profile on first social login"
option on realm settings in admin console).
>
> In the future we plan to provide support for federation of
authentication (other Keycloak realms, SAML, LDAP, etc.), but this is a
good way to get something working with what Keycloak provides at the moment.
>
> By the way at the moment the admin console has a hard-coded list of
social providers, but in the next release this will be dynamic. So all
you'd need is to add a jar that implements the social provider spi, and
it will be available to configure it for a realm through the admin console.
>
> ----- Original Message -----
>> From: "Matt Casperson" <mcaspers(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Sunday, 2 February, 2014 8:56:48 PM
>> Subject: [keycloak-dev] SAML as social login?
>>
>> If I am reading
>>
https://github.com/keycloak/keycloak/blob/master/social/google/src/main/j...
>> correctly, the only thing needed for a Keycloak social login is a
URL to a
>> login page that the user can be directed to when they are not logged
in, and
>> to have that login page send back a response that Keycloak can use
to verify
>> the user and get their details.
>>
>> So if I had appropriate permissions to use https://saml.redhat.com/idp/,
>> could that be added as a social login?
>>
>> Regards
>>
>> Matthew Casperson
>> RHCE, RHCJA # 111-072-237
>> Engineering Content Services
>> Brisbane, Australia
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3997
days inactive
3999
days old
7 comments
3 participants
participants (3)
-
Bill Burke -
Matt Casperson -
Stian Thorgersen