On 19.3.2015 21:09, Anton Hughes wrote:
Yes, Keycloak also verified during each authentication (or
interaction with the UserModel) if user still exists in your backend
and it's removed from Keycloak DB if not.
Thank you Marek
To check that I understand this approach correctly, is the
following a correct summary of how a federation provider
- existing user tries to login via Keycloak
- Keycloak checks if the user exists in the keycloak IDM.
If user is not there then use federation provider
- the provider will get the user by email address or
username, and return the User object.
- This user object can then be mapped and saved into
- Next time user tries to login user is retrieved from
Normally user is synced to Keycloak DB after successful login (your
step 4), but you can also sync all your users from your storage at
once or setup periodic sync.
User password would be verified against your DB, but it is flexible
enough, so for example if user change his password in Keycloak
Account mgmt you can either save it to your backend or to keycloak
Installed into Keycloak. I would suggest to take a look at examples
and try them out. This will give you more insight.
Question - where is the federated provider deployed? Is
it in our app, or installed into Keycloak? Or something