You're free to use the option (2) if you want but that would be really
much harder to implement and your DB will need to store all the metadata
about users which keycloak needs (For example required actions,
persistent grants, role mappings etc). See the interface of UserModel
here:
https://github.com/keycloak/keycloak/blob/master/model/api/src/main/java/...
With federation, you can choose what would be stored in Keycloak DB and
what in your user DB. So for example user passwords and basic attributes
(firstName, lastName, email, ...) will be still just in your DB and
other required metadata by Keycloak (for example required actions) in
the keycloak DB.
Marek
On 26.5.2015 02:14, pubudu gunawardena wrote:
Thanks for the answer Marek. I actually did look into the user
federation example that comes with keycloak. In the settings for that,
there are buttons/settings to fully import users or to import
differences periodically which would bring the data to keycloak. The
thing is that there is already a database for users for the custom
website and Wordpress will also create its own users on login. With
keycloak there will be a third database of users whiich I feel will
lead to difficulties in maintaining. That is the reason why I wanted
to look for a solution that would not import the data to keycloak, but
authenticate against my user database directly.
On Mon, May 25, 2015 at 7:38 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
> It depends what exactly you need.
> 1) There is User Federation SPI, which allows to pull data about users from
> your own database and partially import it to Keycloak. See docs
>
http://keycloak.github.io/docs/userguide/html/user_federation.html . This
> SPI allows you to specify which data will be pulled from your DB to Keycloak
> DB, so your store doesn't need to support storing all Keycloak user metadata
>
> 2) UserProvider SPI - in this case you will need to implement whole model by
> yourself. Note that your store will need to support all Keycloak metadata
> (For example data about user's required actions etc).
>
> For most deployments (1) is better and much easier choice.
>
> Marek
>
>
> On 25.5.2015 11:32, pubudu gunawardena wrote:
>> Hi All,
>>
>> I am trying to use Keycloak to implement SSO for two websites, one
>> Wordpress and another custom implemented. I want to make Keycloak use
>> the existing database but would prefer to not import the data to
>> Keycloak, which would make another copy of the data. Is something like
>> this possible with keycloak?
>