Bill - Just wanted to let you know the Identity Broker currently being built meets my
requirements. I have successfully tested out a complex scenario (given below) involving
both SPNEGO as well as SAML Service Provider functionality
1) KC on two hosts acting as SAML IDP using SPNEGO as Identity Broker.2) KC on another
host acting as SAML SP communicating with IDP (Point 1) and a client using OpenID Connect
(Point 3)3) A Client application communicating with KC (refer to Point 2) using OpenID
Connect
Any user accessing the client application will now be seamlessly authenticated without
entering password. Now I am looking for the "custom profiles" functionality
which would help me move forward. Just to reiterate my requirement - once the user is
authenticated, I would like to make a LDAP call (in some cases multiple calls to different
repositories) to retrieve all user information that should eventually be populated in the
SAML claims or OIDC id_token selectively.
A big thank you to you and the entire dev team for accommodating our requests :-). Great
Job!!!
Regards,Raghu
From: Raghu Prabhala <prabhalar(a)yahoo.com>
To: Bill Burke <bburke(a)redhat.com>; "keycloak-user(a)lists.jboss.org"
<keycloak-user(a)lists.jboss.org>
Sent: Monday, February 9, 2015 8:13 AM
Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
I think that would satisfy my requirements - but not sure until I see that bridge along
with the Identity broker functionality in the next beta release - eagerly waiting for it.
From: Bill Burke <bburke(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Friday, February 6, 2015 10:21 AM
Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
Keycloak won't be a kerberos server any time soon, if ever. We are
creating a SAML/OIDC to kerberos bridge though.
On 1/30/2015 10:52 AM, Raghu Prabhala wrote:
Unfortunately yes. Kerberos is deeply ingrained in most of internal
applications/processes. While we can ask any new applications to use certificates, we have
to support Kerberos.
If that is not something that you will support, probably identity brokering would help. I
can write a Kerberos broker as long as it is given control ( need http request)
immediately by Keycloak, perhaps I can handle both authentication with key tabs (for
system accts) as well as SPNEGO for users
Sent from my iPhone
> On Jan 30, 2015, at 9:01 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
>
>
>
> ----- Original Message -----
>> From: "Raghu Prabhala" <prabhalar(a)yahoo.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>,
"keycloak-user" <keycloak-user(a)lists.jboss.org>
>> Sent: Friday, 30 January, 2015 2:44:14 PM
>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
>>
>> Great. Looking forward to the 1.2 Beta version.
>> Regarding the system account support, from my perspective, it is very
>> important because we have thousands of applications that interact with each
>> other using system accounts (authentication with Kerberos with keytabs) and
>> till we have that functionality, we will not be able to consider Keycloak as
>> a SSO solution even though it is coming out to be a good product. The sooner
>> we have it, the better. Hopefully, even other users will pitch in to request
>> that functionality so that you can bump it up in your priority list.
>> Thanks once again.Raghu
>
> For your use-case would it have to be Kerberos? Only options we've been
considering are certificates and jwt/jws.
>
>> From: Stian Thorgersen <stian(a)redhat.com>
>> To: Raghu Prabhala <prabhalar(a)yahoo.com>
>> Cc: keycloak dev <keycloak-dev(a)lists.jboss.org>; keycloak-user
>> <keycloak-user(a)lists.jboss.org>
>> Sent: Friday, January 30, 2015 2:10 AM
>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
>>
>>
>>
>> ----- Original Message -----
>>> From: "Raghu Prabhala" <prabhalar(a)yahoo.com>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>,
"keycloak-user"
>>> <keycloak-user(a)lists.jboss.org>
>>> Sent: Thursday, January 29, 2015 6:44:11 PM
>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
>>>
>>> Congrats Keycloak team. A great deal of features in this release - really
>>> like SAML and clustering.
>>>
>>> But what I am really looking for is the next release as we need all the
>>> features you listed -any tentative dates for the beta version?
>>
>> We might do a beta soon, but that'll only include identity brokering. The
>> other features will be at least a month away.
>>
>>>
>>> The functionality provided so far seems to be targeted toward users
>>> accounts.
>>> When can we expect support for System accounts (with diff auth mechanisms
>>> like certificates, Kerberos etc?
>>
>> Some time this year we aim to have system accounts with certificates, it'll
>> depend on priorities. We don't have any plans to support Kerberos
>> authentication with system accounts, but maybe that makes sense to add as
>> well.
>>
>>
>>
>>>
>>> Thanks,
>>> Raghu
>>>
>>> Sent from my iPhone
>>>
>>>> On Jan 29, 2015, at 2:11 AM, Stian Thorgersen <stian(a)redhat.com>
wrote:
>>>>
>>>> The Keycloak team is proud to announce the release of Keycloak
>>>> 1.1.0.Final.
>>>> Highlights in this release includes:
>>>>
>>>> * SAML 2.0
>>>> * Clustering
>>>> * Jetty, Tomcat and Fuse adapters
>>>> * HTTP Security Proxy
>>>> * Automatic migration of db schema
>>>>
>>>> We’re already started working on features for the next release. Some
>>>> exiting features coming soon includes:
>>>>
>>>> * Identity brokering
>>>> * Custom user profiles
>>>> * Kerberos
>>>> * OpenID Connect interop
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user