8:08 a.m.
Hi Francesco, sorry for late response,
Well, seems you've got quite a soup of different applications, and
bringing Keycloak in control of *all* of them may be quite challenging.
First, you'll need to understand what Keycloak is and what it is not.
Keycloak is an SSO (Single Sign-On) and IAM (Identity and Access
Management) solution intended for securing web applications (but not
limited to them).
This is done with the help of OpenID Connect and SAML protocols. So the
first question you'll need to answer is: which applications already
support this, or could support with minimal efforts?
I think that Redmine and NextCloud fall into this category.
OIDC/SAML enabling is usually done by the means of some
adapters/plugins/extensions, or whatever this might be called in the
target app's terms. So this should become number one on your list.
AD integration is completely different stuff. This is called user
federation, and its purpose is to combine several external user data
sources into a single, unified virtual one. AFAIK, there is no OOTB
mechanism to define which external AD the newly created user should go
to. But what we love about Keycloak is its ultimate extensibility, so
I wouldn't rule out the possibility of implementing this with the help
of an extension.
GSuite, in its turn, is completely standalone here. AFAIK it supports
only Google's authentication, and doesn't allow to delegate it to 3rd
party services (or does it?) One of the possible variants is using Okta, but it:
1) actually works as a password manager,
2) installs a browser plugin,
3) requires commercial subscription.
Hope this helps, and good luck with Keycloak!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Tue, 2018-07-24 at 14:15 +0200, jlord87(a)gmail.com wrote:
Hello guys,
I'm really new to keycloak and I need your help to understand if this
is what I'm really looking for;
I am the IT administrator in a non-profit environment, managing servers
and services for several non-profit organization.
What I'm trying to achive is the centralization of the authentication
and authorization process: every user should just have one password and
one "username".
The difficult part is that the environment I work in is really "fluid":
there are a lot of person working or volunteering in one or more
different organization. Every organization has its own active directory
server (to manage desktop authentication and some CIFS share), its own
gsuite (for emails) and at the same time, there are services shared by
all (or some) of these organization (like a redmine ticketing system,
nextcloud file server and so on).
What I'm dreaming of is to manage everything from a single software (I
tried gluu but it had some annual fees we cannot afford to pay): I
would like to create an user (something like name.surname) and add to
this user "permissions", something like "user1 should be able to access
gsuite 1, gsuite2, nextcloud and active directory 1".
I've uploaded a scheme in this pdf:
https://mega.nz/#!z4InTCaa!ngyWks8yoN7rrW-NR6RXnPJ32tCKSz0snWB1c7lFEbg
Do you think keycloak is capable of this? I played around a bit, read a
lot of documentation and what I wasn't able to achive was a selective
active directory user sync...
Maybe my error was trying to do everything in the same realm, what do
you think about it?
Thank you for any hint
Francesco
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user