We don't have a token exchange facility, but we have support for authenticating with external IdPs through what we call identity brokering. It supports SAMLv2 IdPs only though.

We do have SPIs that let you customize/extend Keycloak. For your use-case I could think of two options:

1. Add a custom authenticator for direct grant flow that allows authenticating by passing a SAML v1.1 token - see http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html for more info

2. Add a custom identity broker provider that allows users to login through an external SAMLv1.1 IdP

On 5 February 2016 at 10:52, Porfyrios Vasileiou <porfyrios.vasileiou@gmail.com> wrote:

Hello, I have a project that includes 2 client applications.

In ONLY ONE of the clients(web application in angular) users login via a 3rd party authorization server that also has a login procedure where the user logs in and it returns an saml v1.1 xml token and then they can access the client. (This procedure cannot be changed) But i want this client to also be secured with keycloak so i can have a token that i can pass to my rest services that are also secured with keycloak.

Can i convert this saml v1.1 token to oauth2 via keycloak?

Once we have logged in I want to login this user to keycloak programmatically and get an oauth2 token instead that can be used for the rest services requests in the Bearer authentication header. How can i do this?

I also want to say that the keycloak is setup to use the same active directory that the 3rd party authorization server is using to authenticate the users.

Is this possible?

Thanks, Porfyrios

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user