Re: [keycloak-user] authentication provider and login override questions

Hi, I can see KeyCloak allows to define authentications based on SAML protocol. My requirements are: a set of application/client secured by a KeyCloak server role/group defined in Keycloak user/pass synchro from ActiveDirectory (optional - surely some mapping to retrieve some information) We need keycloak and like it: for the user management and authentication solution it provides to an application, in a simple way. 1) When an SSO is already in place. As the apps we provide sometime, but not always is being integrated in a customer env. that already using an SSO solution, I would like to know if my understanding is right: does the authentication module in keycloak where you can define an SAML providers will delegate the SSO/login part to an external solution that will handle for him the authentication? Possible SSO is: "Ping", it says they are SAML compatible, does it means I only need the SSO URL and logout URL to try it?

2) Since keycloak provides for SSO the login pages. How do you integrate it with an application (angular/J2ee) that already have its own? Without removing it.

Do you keep on basic J2EE setup so any client url would be secure, then once authorized, the apps will continue to bring up its own login page? Does it mean the app should have a filter to implies some auto-connect so client side does not try to bring the login and instead consider the user connected? or does it mean using keycloak.js and follow some angular example where upon loading we first make everything from the JS side and make no change on the Java Apps?

3) I tried to override the login flow, to make my own authenticator. I could see multiple way to do it. My requirement is to have a supplementary field on the login page, because I need to authenticate and validate my username/pass/repo to a REST API that must be access in a secured way all the time, prior to give access to my clients/realm. In order to make this, I ended up providing my own template (ftl) but then I could no longer use the login.username in it since the createResponse (normal cases) is the only one to take the formDatas and load in attributes the LoginBean with it. I was using my-page.ftl so could not use the createLogin, instead I was using createForm So even when I set the attribute with "login" key based on the loginBean, login.username was triggering an error. forms.setAttribute("login", new LoginBean(formData)); So Whatever, I simply used "username" directly and it worked, but I don't know to which extend nor why. I have some missing on freemarker api and how you compiling it with POJO beans in a Map.

3bis) For my suppl. field, I need a dropdown box and freemarker would need a collection to loop over. I though I would have to pass a list of POJO (to create a dropbox) to the "attributes" that is being used to compile my template. In my template, I used "#list", but I could not get it to recognize my bean nor loop on it. It always consider it as not present. Here a sample of my authenticator that produce the new login form: