[keycloak-user] ​Re: Identity Brokering

​Is there a subtle distinction between identity brokering vs federation?​ ​Is there anywhere which details the interaction on subsequent logins, I found this page useful for the initial login: http://www.keycloak.org/docs/1.9/server_admin_guide/topics/identity-broke... I assume credentials are not imported/created during the identity federation, hence on a return visit Keycloak would forward an authentication request to the target IdP - effectively step 5 in the flow linked above. Danny > Message: 6 > Date: Thu, 13 Apr 2017 10:25:14 -0400 > From: Bill Burke <bburke(a)redhat.com> Subject: > ​​ > Re: [keycloak-user] Identity Brokering > To: keycloak-user(a)lists.jboss.org > Message-ID: <3e60adeb-bb6f-ef07-7f55-3c5611c0122b(a)redhat.com> Content-Type: text/plain; charset=windows-1252; format=flowed > ​​ > brokering is authentication delegation. The user is imported, a local > account is created and linked to the external IDP. > On 4/13/17 9:12 AM, Danny Regis wrote: > > Hello, > > > I'm trying to gain clarity on whether there is a subtle difference > between > > Identity Federation / Identity Brokering / Authentication Brokering. > > > Looking at the documentation for Identity Providers, it details this as > > Identity Brokering, what I can't ascertain (and haven't been able to > demo) > > is exactly how this works. The documentation implies that the first > broker > > login flow creates a local user. What happens on the second login? Would > > the user always be redirected to the IdP login pages? If so what is the > > local user copy for? > > > Potentially I'm confusing federated Open ID Connect SSO with Identity > > Brokering. > > > > My specific use case... > > > Application A users authenticated and authorised via Identity Provider B > > (Open Id Connect) > > > However application A users should always be authenticated against IdP B, > > there should never be local authentication based upon a local KC user. > > > Would disabling "Create User If Unique" from the First Broker Login flow > > fulfil my requirement? > > > Thanks > > Danny > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > ------------------------------ > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > End of keycloak-user Digest, Vol 40, Issue 20 > *********************************************