7:15 a.m.
Hello guys,
I'm really new to keycloak and I need your help to understand if this
is what I'm really looking for;
I am the IT administrator in a non-profit environment, managing servers
and services for several non-profit organization.
What I'm trying to achive is the centralization of the authentication
and authorization process: every user should just have one password and
one "username".
The difficult part is that the environment I work in is really "fluid":
there are a lot of person working or volunteering in one or more
different organization. Every organization has its own active directory
server (to manage desktop authentication and some CIFS share), its own
gsuite (for emails) and at the same time, there are services shared by
all (or some) of these organization (like a redmine ticketing system,
nextcloud file server and so on).
What I'm dreaming of is to manage everything from a single software (I
tried gluu but it had some annual fees we cannot afford to pay): I
would like to create an user (something like name.surname) and add to
this user "permissions", something like "user1 should be able to access
gsuite 1, gsuite2, nextcloud and active directory 1".
I've uploaded a scheme in this pdf:
https://mega.nz/#!z4InTCaa!ngyWks8yoN7rrW-NR6RXnPJ32tCKSz0snWB1c7lFEbg
Do you think keycloak is capable of this? I played around a bit, read a
lot of documentation and what I wasn't able to achive was a selective
active directory user sync...
Maybe my error was trying to do everything in the same realm, what do
you think about it?
Thank you for any hint
Francesco
8:08 a.m.
Hi Francesco, sorry for late response,
Well, seems you've got quite a soup of different applications, and
bringing Keycloak in control of *all* of them may be quite challenging.
First, you'll need to understand what Keycloak is and what it is not.
Keycloak is an SSO (Single Sign-On) and IAM (Identity and Access
Management) solution intended for securing web applications (but not
limited to them).
This is done with the help of OpenID Connect and SAML protocols. So the
first question you'll need to answer is: which applications already
support this, or could support with minimal efforts?
I think that Redmine and NextCloud fall into this category.
OIDC/SAML enabling is usually done by the means of some
adapters/plugins/extensions, or whatever this might be called in the
target app's terms. So this should become number one on your list.
AD integration is completely different stuff. This is called user
federation, and its purpose is to combine several external user data
sources into a single, unified virtual one. AFAIK, there is no OOTB
mechanism to define which external AD the newly created user should go
to. But what we love about Keycloak is its ultimate extensibility, so
I wouldn't rule out the possibility of implementing this with the help
of an extension.
GSuite, in its turn, is completely standalone here. AFAIK it supports
only Google's authentication, and doesn't allow to delegate it to 3rd
party services (or does it?) One of the possible variants is using Okta, but it:
1) actually works as a password manager,
2) installs a browser plugin,
3) requires commercial subscription.
Hope this helps, and good luck with Keycloak!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Tue, 2018-07-24 at 14:15 +0200, jlord87(a)gmail.com wrote:
Hello guys,
I'm really new to keycloak and I need your help to understand if this
is what I'm really looking for;
I am the IT administrator in a non-profit environment, managing servers
and services for several non-profit organization.
What I'm trying to achive is the centralization of the authentication
and authorization process: every user should just have one password and
one "username".
The difficult part is that the environment I work in is really "fluid":
there are a lot of person working or volunteering in one or more
different organization. Every organization has its own active directory
server (to manage desktop authentication and some CIFS share), its own
gsuite (for emails) and at the same time, there are services shared by
all (or some) of these organization (like a redmine ticketing system,
nextcloud file server and so on).
What I'm dreaming of is to manage everything from a single software (I
tried gluu but it had some annual fees we cannot afford to pay): I
would like to create an user (something like name.surname) and add to
this user "permissions", something like "user1 should be able to access
gsuite 1, gsuite2, nextcloud and active directory 1".
I've uploaded a scheme in this pdf:
https://mega.nz/#!z4InTCaa!ngyWks8yoN7rrW-NR6RXnPJ32tCKSz0snWB1c7lFEbg
Do you think keycloak is capable of this? I played around a bit, read a
lot of documentation and what I wasn't able to achive was a selective
active directory user sync...
Maybe my error was trying to do everything in the same realm, what do
you think about it?
Thank you for any hint
Francesco
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:58 a.m.
Thank you Dmitry for your reply
> I think that Redmine and NextCloud fall into this
> category.OIDC/SAML enabling is usually done by the means of
> some adapters/plugins/extensions, or whatever this might be called
> in the target app's terms. So this should become number one on your
> list.
I do agree, I've already made some test, it should be quite easy
> AD integration is completely different stuff. This is called
> userfederation, and its purpose is to combine several external user
> datasources into a single, unified virtual one. AFAIK, there is no
> OOTBmechanism to define which external AD the newly created user
> should goto.
Too bad, I would have probably needed the opposite, some kind of "user
propagation".Would it makes any sense to create a realm for each AD and
configure as Identity provider another "master" realm - acting as
centralized user repository - in wich I would create a client template
for every AD?
> But what we love about Keycloak is its ultimate extensibility,
soI
> wouldn't rule out the possibility of implementing this with the
> help of an extension.
Well, I'll be here waiting for this to happen :)
> GSuite, in its turn, is completely standalone here. AFAIK it
> supportsonly Google's authentication, and doesn't allow to delegate
> it to 3rdparty services (or does it?)
Gsuite should be able to act as SAML Identity Provider or as a Service
Provider (https://support.google.com/a/answer/60224?hl=en)..It would
probabily be "easy" to connect also this piece of the puzzle..
Thank you again!
On Tue, 2018-08-07 at 16:08 +0300, Dmitry Telegin wrote:
Hi Francesco, sorry for late response,
Well, seems you've got quite a soup of different applications,
andbringing Keycloak in control of *all* of them may be quite
challenging.
First, you'll need to understand what Keycloak is and what it is
not.Keycloak is an SSO (Single Sign-On) and IAM (Identity and
AccessManagement) solution intended for securing web applications
(but notlimited to them).
This is done with the help of OpenID Connect and SAML protocols. So
thefirst question you'll need to answer is: which applications
alreadysupport this, or could support with minimal efforts?
I think that Redmine and NextCloud fall into this category.OIDC/SAML
enabling is usually done by the means of
some adapters/plugins/extensions, or whatever this might be called in
the target app's terms. So this should become number one on your
list.
AD integration is completely different stuff. This is called
userfederation, and its purpose is to combine several external user
datasources into a single, unified virtual one. AFAIK, there is no
OOTBmechanism to define which external AD the newly created user
should goto. But what we love about Keycloak is its ultimate
extensibility, soI wouldn't rule out the possibility of implementing
this with the help of an extension.
GSuite, in its turn, is completely standalone here. AFAIK it
supportsonly Google's authentication, and doesn't allow to delegate
it to 3rdparty services (or does it?) One of the possible variants is
using Okta, but it:1) actually works as a password manager,2)
installs a browser plugin,3) requires commercial subscription.
Hope this helps, and good luck with Keycloak!
Dmitry TeleginCTO, Acutus s.r.o.Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic+42 (022)
888-30-71E-mail: info(a)acutus.pro
On Tue, 2018-07-24 at 14:15 +0200, jlord87(a)gmail.com wrote:Hello
guys,
I'm really new to keycloak and I need your help to understand if
thisis what I'm really looking for;I am the IT administrator in a
non-profit environment, managing serversand services for several non-
profit organization.
What I'm trying to achive is the centralization of the
authenticationand authorization process: every user should just have
one password andone "username".The difficult part is that the
environment I work in is really "fluid":there are a lot of person
working or volunteering in one or moredifferent organization. Every
organization has its own active directoryserver (to manage desktop
authentication and some CIFS share), its owngsuite (for emails) and
at the same time, there are services shared byall (or some) of these
organization (like a redmine ticketing system,nextcloud file server
and so on).
What I'm dreaming of is to manage everything from a single software
(Itried gluu but it had some annual fees we cannot afford to pay):
Iwould like to create an user (something like name.surname) and add
tothis user "permissions", something like "user1 should be able to
accessgsuite 1, gsuite2, nextcloud and active directory 1".I've
uploaded a scheme in this pdf:
https://mega.nz/#!z4InTCaa!ngyWks8yoN7rrW-NR6RXnPJ32tCKSz0snWB1c7lFEbg
Do you think keycloak is capable of this? I played around a bit, read
alot of documentation and what I wasn't able to achive was a
selectiveactive directory user sync...Maybe my error was trying to do
everything in the same realm, what doyou think about it?
Thank you for any hint
Francesco
_______________________________________________keycloak-user mailing
listkeycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:43 a.m.
On 08/08/18 12:58, jlord87(a)gmail.com wrote:
Too bad, I would have probably needed the opposite, some kind of
"user
propagation".Would it makes any sense to create a realm for each AD and
configure as Identity provider another "master" realm - acting as
centralized user repository - in wich I would create a client template
for every AD?
>> But what we love about Keycloak is its ultimate extensibility, soI
>> wouldn't rule out the possibility of implementing this with the
>> help of an extension.
Not sure I understand whole context.
Just a note, that if you have Keycloak realm configured with multiple
different MSAD servers as LDAP providers, you can then configure one of
the MSAD servers with the flag "Sync registrations" to ON. Then if you
create new user in Keycloak, it will be propagated to this MSAD, which
you configured with the "Sync registrations" flag ON.
Marek
2326
days inactive
2342
days old
3 comments
3 participants
participants (3)
-
Dmitry Telegin -
jlord87@gmail.com -
Marek Posolda