12:28 p.m.
Hi,
In the past some systems inside my company were using a custom made sso
implementation that had the ability to do silent login among them.
On of that systems was completly refactored and is using keycloak for
authentication and authorization. Since than, we lost that silent login
feature with the other systems.
We assumed that it was ok to lost this feature for a while but now we are
trying to implement the silent login again.
So..summing up:
- System "A" is using keycloak with a realm "RealmA" with multiple
clients
(modules) with sso between them.
- Other systems "B", "C" with their custom authentication and
authorization
- We are using a custom federation on keycloak over the same users database
that is shared among all the systems.
What's the best practise to achieve sso between all the systems?
We are thinking about a proxy that detects if the user has a session on
some of the other systems and if that is true, we programatically create a
session on keycloak for a given (Is this possible with the API?).
Thank you,
JM
10:44 a.m.
Hi there,
I'm sorry for insisting again... Anyone can help me to find the best
approach?
Thank you!
JM
2017-04-27 18:28 GMT+01:00 Jorge M. <jm85martins(a)gmail.com>:
Hi,
In the past some systems inside my company were using a custom made sso
implementation that had the ability to do silent login among them.
On of that systems was completly refactored and is using keycloak for
authentication and authorization. Since than, we lost that silent login
feature with the other systems.
We assumed that it was ok to lost this feature for a while but now we are
trying to implement the silent login again.
So..summing up:
- System "A" is using keycloak with a realm "RealmA" with multiple
clients
(modules) with sso between them.
- Other systems "B", "C" with their custom authentication and
authorization
- We are using a custom federation on keycloak over the same users
database that is shared among all the systems.
What's the best practise to achieve sso between all the systems?
We are thinking about a proxy that detects if the user has a session on
some of the other systems and if that is true, we programatically create a
session on keycloak for a given (Is this possible with the API?).
Thank you,
JM
6:36 p.m.
What is your custom SSO application. Does it support SAML or OIDC? If it does, you should
be able to configure it as both an Identity Provider and a client in Keycloak to achieve
what you call silent login which I presume is just federated login.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Jorge M.
Sent: Thursday, 4 May 2017 1:14 AM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Help with SSO
Hi there,
I'm sorry for insisting again... Anyone can help me to find the best approach?
Thank you!
JM
2017-04-27 18:28 GMT+01:00 Jorge M. <jm85martins(a)gmail.com>:
Hi,
In the past some systems inside my company were using a custom made
sso implementation that had the ability to do silent login among them.
On of that systems was completly refactored and is using keycloak for
authentication and authorization. Since than, we lost that silent
login feature with the other systems.
We assumed that it was ok to lost this feature for a while but now we
are trying to implement the silent login again.
So..summing up:
- System "A" is using keycloak with a realm "RealmA" with multiple
clients
(modules) with sso between them.
- Other systems "B", "C" with their custom authentication and
authorization
- We are using a custom federation on keycloak over the same users
database that is shared among all the systems.
What's the best practise to achieve sso between all the systems?
We are thinking about a proxy that detects if the user has a session
on some of the other systems and if that is true, we programatically
create a session on keycloak for a given (Is this possible with the API?).
Thank you,
JM
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:15 a.m.
> Hi,
Hi,
> So..summing up:
> - System "A" is using keycloak with a realm "RealmA" with
multiple clients
> (modules) with sso between them.
> - Other systems "B", "C" with their custom authentication and
authorization
> - We are using a custom federation on keycloak over the same users
> database that is shared among all the systems.
>
> What's the best practise to achieve sso between all the systems?
> We are thinking about a proxy that detects if the user has a session on
> some of the other systems and if that is true, we programatically create a
> session on keycloak for a given (Is this possible with the API?).
One possible solution could be to use Keycloak as authentification
system for systems B and C.
You can may be use the apache module to proxy these apps and trigger the
authentication workflow with keycloak.
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/mod-...
Thomas
5:51 a.m.
Thank you all for the replies.
The "SSO" solution used on the other systems is an old custom in house
solution based on tokens (inspired by oauth but not properly compliant with
the spec).
One of the possibilities is to use keycloak as authentication provider in
all the systems. Here, probably we should use different realms as the scope
of the apps is different and also we want to use different login page
themes, etc.
So, is it possible to do SSO among different realms? How can we do that? Is
there any example?
Thank you,
JM
2017-05-04 7:15 GMT+01:00 Thomas Recloux <thomas(a)recloux.fr>:
> > Hi,
Hi,
> > So..summing up:
> > - System "A" is using keycloak with a realm "RealmA" with
multiple
clients
> > (modules) with sso between them.
> > - Other systems "B", "C" with their custom authentication
and
authorization
> > - We are using a custom federation on keycloak over the same users
> > database that is shared among all the systems.
> >
> > What's the best practise to achieve sso between all the systems?
> > We are thinking about a proxy that detects if the user has a session on
> > some of the other systems and if that is true, we programatically
create a
> > session on keycloak for a given (Is this possible with the API?).
One possible solution could be to use Keycloak as authentification
system for systems B and C.
You can may be use the apache module to proxy these apps and trigger the
authentication workflow with keycloak.
https://keycloak.gitbooks.io/documentation/securing_apps/
topics/oidc/mod-auth-openidc.html
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:34 a.m.
So, is it possible to do SSO among different realms? How can we do
that? Is there any example?
No, it's not possible
When https://issues.jboss.org/browse/KEYCLOAK-2671 will be
implemented, the login theme will be able generate different content
for specific clients.
12:02 p.m.
Hi,
I'm trying to implement a proof of concept that authenticates a user using
the API direct access grant with grant_type password (no social login on
this scenario), and after getting the tokens I use them to create a session
in the browser (using javascript adapter).
That is actually working fine... except the SSO! :(
I think that my problem with SSO is related with the checkLoginIframe. If
checkLoginIframe is enabled the login doesn't work. If I disable it, the
login works fine but no SSO. Am I doing something wrong? Can I get SSO with
this approach?
My JS adapter code that works fine for login:
keycloak.init({
checkLoginIframe : false,
token: "xxx",
refreshToken: "xxx",
idToken: "xxx"
}).success(function(authenticated){
if(!authenticated){
keycloak.login();
} else {
loadData();
}
}).error(function () {
});
Thank you,
JM
2017-05-04 13:34 GMT+01:00 Thomas Recloux <thomas(a)recloux.fr>:
So, is it possible to do SSO among different realms? How can we do that?
Is there any example?
No, it's not possible
When https://issues.jboss.org/browse/KEYCLOAK-2671 will be implemented,
the login theme will be able generate different content for specific
clients.
7:36 a.m.
New subject: Complete overview of event types
Hi,
Is there a complete overview of event types?
I found the event listener example here:
https://github.com/keycloak/keycloak/tree/master/examples/providers/event...
And a few possible events here:
https://keycloak.gitbooks.io/documentation/server_admin/topics/events/log...
But is there another overview of all events? In particular, I need to intercept events
when a user is enabled/disabled and deleted. And session events when e.g. a token has
timed out.
Regards
Ben
3071
days inactive
3081
days old
7 comments
4 participants
participants (4)
-
Adam Keily -
Jorge M. -
Stadin, Benjamin -
Thomas Recloux