I originally proposed that we separate out the account registration to a separate screen
from the additional business data entry and hop over to keycloak for the account
registration part. This would work, however, our business analysts would prefer to keep
the user experience the same as it is today.
As far as replicating the exact same screen we have today, I would see issues with that.
We have dynamic headers, footers and side navigation functionality that would be difficult
to implement in keycloak. This is also part of a larger flow so we would need to be able
to handle forward/back navigation buttons. There is also quite a bit of additional data
that we capture, so I could see future maintenance being an issue if we had to update
keycloak every time we wanted to make changes. It's a good thought, but unfortunately
I think our page is too complex for that.
One thought I had was utilizing the new identity broker functionality for this. Our app
would be setup as both a SAML service provider and a SAML brokered identity provider. Our
app would send a SAML response to keycloak as the identity provider, keycloak would create
a SSO session for that user and then send the user back to our app with a keycloak SAML
response. Not quite the standard use case for this feature, but any thoughts on if this
might work?
-----Original Message-----
From: Stian Thorgersen [mailto:stian@redhat.com]
Sent: Tuesday, April 07, 2015 11:57 PM
To: Bill Burke
Cc: Schneider, Tom; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] External Registration Flow
Taking one step back on this. You say you can't use Keycloak's registration
screens as you collect additional business data. If you could edit the registration page
on Keycloak (which you already can) then intercept the required information in an event
listener (which you soon can) would that satisfy your needs?
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Tom Schneider" <tschneider(a)connecture.com>,
keycloak-user(a)lists.jboss.org
Sent: Tuesday, 7 April, 2015 6:01:29 PM
Subject: Re: [keycloak-user] External Registration Flow
Wouldn't you want Keycloak to ask for new credential input? That way
you can control from keycloak what credential types are required.
On 4/7/2015 11:52 AM, Schneider, Tom wrote:
> That is close, but not quite the flow we're trying to implement.
> This would be the flow we are attempting to implement:
>
> 1. Visit app
> 2. Click on registration link within app 3. Fill out registration
> info 4. App calls keycloak webservices to create user and set
> password 5. Redirect to keycloak 6. ??? (Currently SAML Login) 7.
> Redirect back to app
>
> Ideally I would think there would be a way for the app to request
> some kind of token that can be sent back to keycloak to allow the
> user to be logged in with having the end user login explicitly.
> However, I haven't found anything that would do something like this yet.
>
> -----Original Message-----
> From: keycloak-user-bounces(a)lists.jboss.org
> [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Bill
> Burke
> Sent: Tuesday, April 07, 2015 10:31 AM
> To: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] External Registration Flow
>
> To have the seemless integration you want, Keycloak would need some
> kind of remote registration protocol so that registration could be
> delegated to another app. We don't have this ability yet. This is
> because you want this flow, right?:
>
> 1. Visit app
> 2. Redirected to Keycloak login
> 3. Click on registration link on page 4. Redirect to External
> registration app 5. Register 6. Redirect back to keycloak 7. Import
> user 8. Redirect back to app
>
>
> On 4/7/2015 10:17 AM, Schneider, Tom wrote:
>> I have an existing application that I'm looking to integrate with
>> keycloak. One of the flows we're working on is a user
>> self-registration flow. In this flow, a user will enter
>> registration information, then the user will be provisioned within
>> the local app and then we use web service calls to create the user in keycloak.
>> After the user is provisioned, then we do a SAML post to keycloak,
>> the user logs in and then they are redirected back to our app.
>>
>> This is all working fine, however, the user must enter their
>> username and password twice, once on the registration screen and
>> once to log into keycloak to establish an SSO session. We'd like
>> to avoid using the keycloak registration screens since we collect
>> additional business data on our registration screen that our app
>> needs. Are there any suggestions on how to avoid this double login?
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user