Re: [keycloak-user] Advice on setting up realms

Hi Chris, Couple of points: 1) > Can I make these two types of user coexist in a single realm, or do I need to split it up? -Authentication is on a per realm basis For authentication you configure a corresponding authentication flow, by default for the entire realm. With 4.X and, 5.0, you can override the default authentification flow, for specific client applications If you want 2 different ways to authenticate (staff with 2FA, username/apssword + TOPTP ), and external with 1FA (username/password) best is to have to different realms, withe one realm for staff an other for external people

2) > How can I enforce policies such as requiring TOTP for our staff? You just have to indicate that TOTP is required in the realm staff suathentication flow

3) > Can I prevent users from changing their email address and name in the account console while still permitting password and authenticator changes? At first glance, there seems no specific tuning for this, unless writing a specific custom plugin. In the "required Actions" of your auth flow, "Update Profile" is enabled by default , if you disable it they won't be able to change their profile but still able to configure OTP and change their password. Vist also our web site for info about TOTP, and realms: http://www.janua.fr/tag/technical-blog/ Don't hesitate to come back to us if you need any further help Regards, Olivier Rivat <http://www.janua.fr/images/logo-big-sans.png>< http://www.janua.fr/images/LogoSignature.gif> <http://www.janua.fr/images/6g_top.gif> Olivier Rivat CTO orivat(a)janua.fr <mailto:dchikhaoui@janua.fr> Gsm: +33(0)682 801 609 Tél: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr <http://www.janua.fr/> <http://www.janua.fr/images/6g_top.gif> Le 21/03/2019 à 15:56, Chris Boot a écrit : > Hi folks, > > I’ve been looking for an IdP solution for my employer for months and > have felt like I’ve been going round and round in circles, until I > finally gave Keycloak another try. It’s like a breath of fresh air! So > thanks folks. > > Our Keycloak instance will be used to protect about a dozen > applications, things like our wiki, monitoring control panel, and so on. > We’ll have two different types of users who will need to use the IdP and > login to these applications: staff and partners. > > Staff will need to login using LDAP federation and will be required to > use TOTP. They should not be able to use social providers to log in. > Staff will use their email address to login and all will use a single > RHS domain for their email addresses. > > Partners will not have LDAP accounts, and should be able to opt-in to > use TOTP. They should ideally also be able to link social accounts (e.g. > Google or GitHub) to their existing records. Anyone not using our > corporate email domain, but who has an account, should be considered a > partner. > > Some of our applications can only be configured with a single OIDC or > SAML provider, so Keycloak would need to handle both types of accounts > (e.g. staff / partner) from a single login interface. > > I therefore have a few questions about how I might achieve such a setup: > > - Can I make these two types of user coexist in a single realm, or do I > need to split it up? > > - How can I enforce policies such as requiring TOTP for our staff? > > - Can I prevent users from changing their email address and name in the > account console while still permitting password and authenticator changes? > > Thanks in advance for any suggestions. > > Cheers, > Chris > -- _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user