.
Seems like only the username is registered on the keycloak db when
importing data
session.userStorage().addUser(realm, username)
Does this mean that the authentication will always happen against my
database? If that is the case, then I think I can use federation.
But in the user interface there is functionality to change password
for the user as well. Is that functionality not used in federation?
On Tue, May 26, 2015 at 12:17 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
You're free to use the option (2) if you want but that would be
really much
harder to implement and your DB will need to store all the metadata about
users which keycloak needs (For example required actions, persistent grants,
role mappings etc). See the interface of UserModel here:
https://github.com/keycloak/keycloak/blob/master/model/api/src/main/java/...
With federation, you can choose what would be stored in Keycloak DB and what
in your user DB. So for example user passwords and basic attributes
(firstName, lastName, email, ...) will be still just in your DB and other
required metadata by Keycloak (for example required actions) in the keycloak
DB.
Marek
On 26.5.2015 02:14, pubudu gunawardena wrote:
>
> Thanks for the answer Marek. I actually did look into the user
> federation example that comes with keycloak. In the settings for that,
> there are buttons/settings to fully import users or to import
> differences periodically which would bring the data to keycloak. The
> thing is that there is already a database for users for the custom
> website and Wordpress will also create its own users on login. With
> keycloak there will be a third database of users whiich I feel will
> lead to difficulties in maintaining. That is the reason why I wanted
> to look for a solution that would not import the data to keycloak, but
> authenticate against my user database directly.
>
> On Mon, May 25, 2015 at 7:38 PM, Marek Posolda <mposolda(a)redhat.com>
> wrote:
>>
>> It depends what exactly you need.
>> 1) There is User Federation SPI, which allows to pull data about users
>> from
>> your own database and partially import it to Keycloak. See docs
>>
http://keycloak.github.io/docs/userguide/html/user_federation.html . This
>> SPI allows you to specify which data will be pulled from your DB to
>> Keycloak
>> DB, so your store doesn't need to support storing all Keycloak user
>> metadata
>>
>> 2) UserProvider SPI - in this case you will need to implement whole model
>> by
>> yourself. Note that your store will need to support all Keycloak metadata
>> (For example data about user's required actions etc).
>>
>> For most deployments (1) is better and much easier choice.
>>
>> Marek
>>
>>
>> On 25.5.2015 11:32, pubudu gunawardena wrote:
>>>
>>> Hi All,
>>>
>>> I am trying to use Keycloak to implement SSO for two websites, one
>>> Wordpress and another custom implemented. I want to make Keycloak use
>>> the existing database but would prefer to not import the data to
>>> Keycloak, which would make another copy of the data. Is something like
>>> this possible with keycloak?
>>
>>
>
>