If we don't create a user in the db for a federated or brokered user wouldn't we
loose a lot of functionality like:
* Account management
* Required actions
* Linking multiple brokered/federated accounts with a single internal account
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 25 March, 2015 2:49:11 PM
Subject: Re: [keycloak-dev] usersession-based UserModels
Not sure if this would be a rare case. Right now our solution is a bit
heavyweight when we have external systems (brokered or
UserFederationProvider) as we require a lot of database writes for those
that log in for the 1st time. I don't think users have hit this yet
because they haven't hit us with a lot of requests.
On 3/25/2015 1:55 AM, Stian Thorgersen wrote:
> Sounds like it would make sense for the SAML transient use-case you
> mentioned, but do we have other use-cases for it? Wouldn't it be a fairly
> big change for a rare use-case?
>
> Unless we start supporting IdP logins without provisioning an internal
> account, but that would be a pretty big change as well for something we
> haven't had a request for.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 24 March, 2015 3:54:28 PM
>> Subject: [keycloak-dev] usersession-based UserModels
>>
>> I'm thinking more and more we need UserSession based UserModels. This
>> would be the case where nothing is imported for a user with either
>> brokering or federation, but rather stored in memory for the duration of
>> the UserSession.
>>
>> If user metadata (role mappings, etc.) is all obtained from external
>> sources, there really is no need to import the data and import is just a
>> huge performance hit.
>>
>> I ran into this with "transient" nameid format and SAML brokering.
In
>> this scenario the parent IDP generates a new userid each and every
>> login. This is to define an anonymous user. So, every time a user logs
>> in would create a brand new user in the keycloak database.
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com