7:45 a.m.
Hi Siva,
Some comments inline.
----- Original Message -----
From: "Siva" <siva.b(a)knowledgeflux.com>
To: keycloak-user(a)lists.jboss.org
Sent: Thursday, February 25, 2016 10:01:15 PM
Subject: [keycloak-user] REST(MicroServices) authentication through SAML 2.0
Hi Experts,
I’ve got scenario, seeking your valuable inputs to take this in right
direction.
My application is complete server side solution which has 6 different modules
and it expose only the REST(Microservices) end points(5 modules are hosted
in tomcat 8 container and 1 is hosted in Apache Karaf [OSGI bundle] ) to the
external world ; which will be accessed by different enterprise and they
need to integrate their SAML 2.0 IDP for authentication.
These Microservices end points could be integrated with their existing
portals or could be integrated with their existing mobile app applications,
in some scenario’s it could be an exclusive client application built to
consume our REST end points which could potentially be a browser based and
Mobile app.
The challenge here is, for now we could use only SAML 2.0 based
authentication since not all the organizations support OIDC/OAuth2.0 and as
well our application could be flexible enough to be integrated with the
existing client portals which uses SAML 2.0 authentication.
We are planning to use keycloak as IDP broker to secure our endpoints.
Questions :
1) Can this be achieved in keycloak? If yes, could you please provide some
inputs on architectural directions in keycloak; like should all the modules
need to be configured under 1 relam and need to have a separate brokering
relam?
I don't think that brokering is the best solution to address your requirements. If I
understood your problem correctly, the clients trying to access your APIs belong to your
partners and not you. Brokering is useful when you own the clients and want to create an
indirection layer in order to integrate with external identity providers (pretty much the
inverse of your use case). Or even during a migration plan when you already have some
investments on SAML and want to gradually adopt OpenID Connect for new deployments.
In your case, what you need is something that can utilize an existing trust relationship
in order to give to your clients the proper security token to access your APIs.
2) Does keycloak support Apache karaf container? I couldn’t find any adapter
for this under SAML adapter category.
I don't think so, but someone can give you more input on that.
3) For REST style endpoints, how should the user credential/Token details
need to shared? Any example links? kerberos is not a complete solution here,
since it need to work on all the devices(Desktop,Laptop & handheld).
Well, there is no sharing of user credentials, but security tokens.
4) For the REST based solution, can the application completely rely on
keycloak for the session management, after the first time the user is
authenticated?
Any inputs on this will be highly valued.
An interesting solution would be the Security Assertion Markup Language (SAML) 2.0 Profile
for OAuth 2.0 Client Authentication and Authorization Grants [1]. Very useful when a
client wishes to utilize an existing trust relationship, expressed through the semantics
of the SAML Assertion, without a direct user approval step at the authorization server.
But, IIRC, that spec is not yet supported in KC.
I've also seem some people using SAML assertions to access RESTful resources.
Personally, I don't think it is a good approach, since there is no SAML binding
(standard) targeting RESTful resources.
There is also the SAML ECP profile, which we added recently. However, it is targeted for
specific use cases where you need to issue a SAML Assertion based on some user credentials
(so you must own the users, not your case I think). It also provides some very basic
support for the SP side of things, but I don't think it can help you either.
[1] https://tools.ietf.org/html/rfc7522
Regards,
Siva.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user