9:46 a.m.
Hi Bill,
Thanks for the quick response. I meant the federated user to be as an user from External
IDP.
There are two scenarios in our application which we plan to address using Keycloak
a) An user who interactively logs into the web client
b) An background process that acts behalf of the user(a)
In the case(a)every time the user logs into the system, he/she will be authenticated by
external IDP. But in the case(b) because it is a background process only once the user
logs in with his credential and uses the refresh token (which has very long time to live
or never expires), in this scenario after the initial authentication there is no other
interaction with external IDP.
There could be situations when the user in the external IDP could be fired/removed, hence
Keycloak might have to know if the user is still valid to allow refresh of the tokens to
happen. Just wondering if it is handled by any means before reissuing the refresh token?
In our current implementation, for this purpose SCIM protocol was used to listen any
DELETE USER operations at the external IDP end and update the status of the user in SP
end. So during token validation, this user status is verified.
Please let me know if there is any similar plan in Keycloak too.
Thanks
Kamal
**************************************
What do you mean by federated user? We have the concept of federating
between IDPs, where Keycloak is the child and an external IDP is teh
parent. In this case, we do not check the status of the external user
at all. I'm not currently aware of any standard we can use to do this.
From: Kamal Jagadevan <j.kamal(a)ymail.com>
To: Keycloak-user <keycloak-user(a)lists.jboss.org>
Sent: Monday, July 13, 2015 5:39 PM
Subject: Use case of Deprovisioning a user in Federated IDP
Hello, I would like to know how De-provisioning of user in Federated IDP case being
handled in Keycloak.How frequently Keycloak validates the federated user status before
reissuing the new access token to the already authenticated user.Is there plans to support
SCIM (System for Cross-domain Identity Management) in Keycloak roadmap?
Following is our use case
1. There are few processes that will be authenticated with Federated IDP using SAML just
after user(A) registration is complete (one time login manually).2. Subsequently SP will
issue the token pair to these processes to use as long as Refresh token lifetime is
valid.3. Within this refresh token lifetime (if it too long) and in the case user(A) is
de-provisioned/removed, how would SP be aware to block this token renewal.
Please share your thoughts.
BestKamal