Why not just register the customer IdPs directly with Keycloak using
identity brokering?
On 22 December 2016 at 02:27, Dana Danet <Dana.Danet(a)evisions.com> wrote:
Thank you for responding and I apologize if my question was
misleading,
let me try again.
My requirement is to support a SSO IdM/IdP for customers without their own
system, ideally in a multi tenant way, and to support SSO for customers
that have on-premise SSO implementations, mostly are InCommon.
We have decided to implement Ping as a SP to handshake with the on-premise
(InCommon) customers. Since these integration points could be more than
just InCommon. My thought is that Ping will accept the authN, translate
the properties to a grant (SAML2) and forward to Keycloak to create the
JWT. I attached a image reflecting this below.
My question is how would I register within Keycloak that AuthN would be
handled by Ping, and to create a JWT.
On Dec 15, 2016, at 11:41 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
Not quite sure what you're asking here as there seems to be 3 IdPs?
Customer IdP, Ping and Keycloak?
On 14 December 2016 at 17:25, Dana Danet <Dana.Danet(a)evisions.com> wrote:
> I just recently introduced KC to a Spring Cloud micro-service environment
> as the IDM and Oauth manager of JWT tokens. Front end clients are
> implementing the javascript adapter and backend Spring Boot services are
> implemented with the Spring Security adapter (not boot adapter). Our
> Service Gateway (Zuul) simply passes the token to backend services.
>
> My question is regarding offloading offloading AuthN and IDP to external
> systems and then brokering to Keycloak for JWT creation. Which would look
> something like
> ( Customer on premise AuthN) —> Ping —> Keycloak. Ping has been
> introduced purely as an SP to handle customers implementations of
> Shibboleth and Incommon. Initially I was thinking that IDP - Ping SP
> mapping is all done via Ping and then a canonical SAML exchange to Keycloak.
>
> Is this possible? I would appreciate some guidance here.
>
> -dana
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user