Thanks Ragu. I didn't mention certificates for KC because its says "coming
soon" on the website's front page. The slide I linked to is my current
draft (I won't be able to fit all this information onto a single slide).
In OpenUnison we separate authentication mechanisms from data source and
include federation as a form of authentication (even though strictly
speaking we don't collect credentials). So there's no "LDAP
Authentication" in OpenUnison, there's a username & password authentication
mechanism (that can be added to a chain) that would then validate that
credential through the virtual directory. Same thing for SAML and OIDC,
once we validate the assertion/token we link the user in the virtual
directory (or create a virtual user or run a just-in-time provisioning
workflow to create the user)
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
<marc.boorshtein(a)tremolosecurity.com>(
<
)
828-4902
On Wed, Feb 24, 2016 at 1:47 PM, Raghu Prabhala <prabhalar(a)yahoo.com> wrote:
Under Keycloak authentication, I would suggest Kerberos, ldap, otp,
certificates etc rather than oidc, saml which are not authentication
mechanism.
It should be similar to what you have put under openunison authentication
Sent from my iPhone
On Feb 24, 2016, at 12:56 PM, Marc Boorshtein <
marc.boorshtein(a)tremolosecurity.com> wrote:
So after I actually put the slide together I realized I'd never be able to
put this much information on one slide. So I tried to distill it down to
really key points:
https://s3.amazonaws.com/ts-public-downloads/random/Slide11.png
Let me know what you think. Again, I appreciate the feedback.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
<marc.boorshtein(a)tremolosecurity.com>(
<
https://www.google.com/voice?utm_source=en-ha-na-us-bk&utm_medium=ha&...)
828-4902
On Wed, Feb 24, 2016 at 12:22 PM, Marc Boorshtein <
marc.boorshtein(a)tremolosecurity.com> wrote:
> Thanks Bill. I'm envisioning a slide with 3 columns (one for OpenUnison,
> one for KC and one where there's overlap) so I'm going to try and keep it
> brief but will certainly talk to anything I don't write down.
>
> Here's what I'm thinking for each column including your comments:
>
> OpenUnison
> Authentication
> * Kerberos
> * Certificate
> * Banner
> * Username Only
> * OTP over SMS
> * OTP over Email
> * Symantec VIP
> * JIT Provisioning
> * Authentication Levels
>
> User Data Sources
> * Integrated Virtual Directory
>
> Role Management
> * Workflow based approvals
> * Multi stage approvals
> * Escalations
>
> Application Integration
> * Reverse Proxy with LastMile (
J2EE/Apache/.NET)
> * Reverse Proxy with SAML Login
> * Reverse Proxy with Kerberos Constrained Delegation
>
> UI Pages
> * Generic JSP
>
>
> Common
> Authentication
> * OIDC
> * SAML2
> * Social
> * TOTP
> * IdP "Broker" for both SAML2 and OIDC
> * Login Chain / Flow
> * Custom Interface
>
> User Data Stores
> * LDAP
> * DB
> * AD
> * Custom
> * Password reset
> * Profile Updates
>
> Role Management
> * Map to multiple data sources
> * Web services integration
>
> Application Integration
> * SAML2
> * OIDC/OAuth2
> * Reverse Proxy with header injection
>
>
> KeyCloak
> Authentication
> * OIDC
> * Social
> * TOTP
> * User session management
>
> User Data Sources
> * Integrated SPI
>
> Role Management
> * Local database
> * Mapped to external data source
>
> Application Integration
> * OIDC/OAuth2
> * REST Web Services
>
>
> UI Pages
> * Themed
> * Internationalization/Localization
>
> Anything you would like changed or mentioned?
>
> Thanks
>
>
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorshtein(a)tremolosecurity.com
> <marc.boorshtein(a)tremolosecurity.com>(
>
<
https://www.google.com/voice?utm_source=en-ha-na-us-bk&utm_medium=ha&...)
> 828-4902
>
> On Wed, Feb 24, 2016 at 11:22 AM, Bill Burke <bburke(a)redhat.com> wrote:
>
>> Much more:
>> - IDP brokering (Keycloak can be a child IDP to a parent IDP)
>> - reset credentials
>> - registration (with or without recaptcha)
>> - required actions (verify email, update credentials, update profile)
>> - User session management
>>
>> Custom SPIs to create/augment:
>> - browser login flow
>> - reset credential flow
>> - registration
>> - REST validation
>> - service accounts
>>
>> With this SPI you can add custom authentication types, perform workflow
>> actions, etc...
>>
>> User self-help:
>> - Account management for logged in users.
>>
>> Internationalization/Localization:
>> - Basically all UIs (admin console, login,
>>
>> On 2/24/2016 8:20 AM, Marc Boorshtein wrote:
>>
>> All,
>>
>> I'm going to be presenting OpenUnison at an OpenShift briefing tomorrow
>> and have been asked to include a slide on how OpenUnison and Keycloak
>> relate to each other. Based on getting Keycloak running and looking at the
>> website and following the list I'm planning on breaking down KC's
features
>> as such:
>>
>> Authentication
>> * OIDC
>> * SAML2
>> * Social
>> * TOTP
>> * IdP "Proxy" for both SAML2 and OIDC
>>
>> User Data Sources
>> * LDAP
>> * AD
>> * Custom
>>
>> Role Management
>> * Local database
>> * Mapped to external data source
>>
>> Application Integration
>> * SAML2
>> * OIDC/OAuth2
>> * Reverse Proxy with header injection
>>
>> UI Pages
>> * Themed
>>
>> I want to make sure this is accurate, so I'd appreciate any feedback
>> that you have.
>>
>> Thanks
>>
>> Marc Boorshtein
>> CTO Tremolo Security
>> marc.boorshtein(a)tremolosecurity.com
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red
Hathttp://bill.burkecentral.com
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user