6:39 p.m.
Hi,
I want to know whether it is possible to have SSO amongst two realms. Ie User 1 logins to
an app1 that auths against realm1, then user 1 tries to use app2 which auths against
realm2 which should work fine as user 1 logged into realm1 before and it should SSO into
app2 fine.
If this is possible then what would be the setup like?
Kind Regards,
Sarp
1:25 a.m.
It's possible to achieve something like this with identity provider. You
can create identityProvider in realm2, which will authenticate against
realm1. In that case, there will be button in login screen of realm2
like "Login with realm1" and when user clicks on this, he will be
logged-in automatically. There is also possibility to use switch
"Authenticate by default" in identity provider and then login screen of
realm2 won't be shown, but instead it will always automatically redirect
to realm1 login screen.
The thing is, that you will end with duplicated user accounts (Account
of user "john" will be in both realm1 and realm2). AFAIK we plan to
improve this in the future to have this use-case more "friendly" as more
people ask about that.
Marek
On 25/02/16 01:39, Sarp Kaya wrote:
Hi,
I want to know whether it is possible to have SSO amongst two realms.
Ie User 1 logins to an app1 that auths against realm1, then user 1
tries to use app2 which auths against realm2 which should work fine as
user 1 logged into realm1 before and it should SSO into app2 fine.
If this is possible then what would be the setup like?
Kind Regards,
Sarp
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:25 a.m.
It's possible to achieve something like this with identity provider. You
can create identityProvider in realm2, which will authenticate against
realm1. In that case, there will be button in login screen of realm2
like "Login with realm1" and when user clicks on this, he will be
logged-in automatically. There is also possibility to use switch
"Authenticate by default" in identity provider and then login screen of
realm2 won't be shown, but instead it will always automatically redirect
to realm1 login screen.
The thing is, that you will end with duplicated user accounts (Account
of user "john" will be in both realm1 and realm2). AFAIK we plan to
improve this in the future to have this use-case more "friendly" as more
people ask about that.
Marek
On 25/02/16 01:39, Sarp Kaya wrote:
Hi,
I want to know whether it is possible to have SSO amongst two realms.
Ie User 1 logins to an app1 that auths against realm1, then user 1
tries to use app2 which auths against realm2 which should work fine as
user 1 logged into realm1 before and it should SSO into app2 fine.
If this is possible then what would be the setup like?
Kind Regards,
Sarp
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:59 p.m.
Could you possibly support “Authenticate by default” with a “fallback to the local realm”?
It would be nice to have certain users attached to a particular realm realm1 but have
Keycloak internally attempt to authenticate first against another realm so you can get the
effect of a union of the users across the two realms. The user experience with the
federation buttons as an alternative makes this configuration complexity exposed to the
user and I’d prefer to not have to do that.
-Jason
From:
<keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>
on behalf of Marek Posolda <mposolda@redhat.com<mailto:mposolda@redhat.com>>
Date: Wednesday, February 24, 2016 at 11:25 PM
To: Sarp Kaya <akaya@expedia.com<mailto:akaya@expedia.com>>,
"keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>"
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] SSO amongst two realms
It's possible to achieve something like this with identity provider. You can create
identityProvider in realm2, which will authenticate against realm1. In that case, there
will be button in login screen of realm2 like "Login with realm1" and when user
clicks on this, he will be logged-in automatically. There is also possibility to use
switch "Authenticate by default" in identity provider and then login screen of
realm2 won't be shown, but instead it will always automatically redirect to realm1
login screen.
The thing is, that you will end with duplicated user accounts (Account of user
"john" will be in both realm1 and realm2). AFAIK we plan to improve this in the
future to have this use-case more "friendly" as more people ask about that.
Marek
On 25/02/16 01:39, Sarp Kaya wrote:
Hi,
I want to know whether it is possible to have SSO amongst two realms. Ie User 1 logins to
an app1 that auths against realm1, then user 1 tries to use app2 which auths against
realm2 which should work fine as user 1 logged into realm1 before and it should SSO into
app2 fine.
If this is possible then what would be the setup like?
Kind Regards,
Sarp
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user
12:05 a.m.
Can you elaborate on how you imagine "fallback to the local realm" would
work?
On 7 April 2016 at 21:59, Jason Axley <jaxley(a)expedia.com> wrote:
Could you possibly support “Authenticate by default” with a “fallback
to
the local realm”? It would be nice to have certain users attached to a
particular realm realm1 but have Keycloak internally attempt to
authenticate first against another realm so you can get the effect of a
union of the users across the two realms. The user experience with the
federation buttons as an alternative makes this configuration complexity
exposed to the user and I’d prefer to not have to do that.
-Jason
From: <keycloak-user-bounces(a)lists.jboss.org> on behalf of Marek Posolda <
mposolda(a)redhat.com>
Date: Wednesday, February 24, 2016 at 11:25 PM
To: Sarp Kaya <akaya(a)expedia.com>, "keycloak-user(a)lists.jboss.org" <
keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] SSO amongst two realms
It's possible to achieve something like this with identity provider. You
can create identityProvider in realm2, which will authenticate against
realm1. In that case, there will be button in login screen of realm2 like
"Login with realm1" and when user clicks on this, he will be logged-in
automatically. There is also possibility to use switch "Authenticate by
default" in identity provider and then login screen of realm2 won't be
shown, but instead it will always automatically redirect to realm1 login
screen.
The thing is, that you will end with duplicated user accounts (Account of
user "john" will be in both realm1 and realm2). AFAIK we plan to improve
this in the future to have this use-case more "friendly" as more people ask
about that.
Marek
On 25/02/16 01:39, Sarp Kaya wrote:
Hi,
I want to know whether it is possible to have SSO amongst two realms. Ie
User 1 logins to an app1 that auths against realm1, then user 1 tries to
use app2 which auths against realm2 which should work fine as user 1 logged
into realm1 before and it should SSO into app2 fine.
If this is possible then what would be the setup like?
Kind Regards,
Sarp
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:47 a.m.
Assume these are the users in each realm:
realm1 : [ “jaxley”, “nancy” ]
realm2 : [ “LDAP:foouser@example.org”, “SAML:baruser@example.org" ]
If realm1 configuration == "Authenticate against realm2 with fallback to local realm
(realm1)”
AND A User tries to log in, then authenticate the user against realm2 first (internally);
if the user is not found or fails, try against the local realm realm1. If that succeeds,
that is the user and they are now authenticated.
Thus, if foouser(a)example.org tried to log into realm1, they would be tried in realm2 first
(their home realm).
But if “jaxley” tried to log into realm1, an attempt would be made against realm2 and fail
(no “jaxley” there), then an attempt against realm1 would be made. If that succeeds, that
is the user and they are now authenticated.
What I want to be able to do is to maintain a set of users inside a Keycloak realm, but I
want to still be able to create multiple additional realms to represent different
configurations (e.g. Internal-facing vs. external-facing). The challenge is how when
applications use those additional realms to authenticate can we seamlessly allow
authentication in our preferred order of searching. I’d hate to have the official answer
to be to use the APIs to write a login UI ourselves…
This kind of “preferred order of authentication sources” capability as a declarative
configuration option is a feature of many commercial IdM and authentication tools. The
conflict between users with the same login ID across realms is either resolved by fully
qualifying the user IDs or using the search order to make some sources weighted higher in
the search path so those win.
-Jason
From: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Reply-To: "stian@redhat.com<mailto:stian@redhat.com>"
<stian@redhat.com<mailto:stian@redhat.com>>
Date: Thursday, April 7, 2016 at 10:05 PM
To: Jason Axley <jaxley@expedia.com<mailto:jaxley@expedia.com>>
Cc: Marek Posolda <mposolda@redhat.com<mailto:mposolda@redhat.com>>, Sarp Kaya
<akaya@expedia.com<mailto:akaya@expedia.com>>,
"keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>"
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] SSO amongst two realms
Can you elaborate on how you imagine "fallback to the local realm" would work?
On 7 April 2016 at 21:59, Jason Axley
<jaxley@expedia.com<mailto:jaxley@expedia.com>> wrote:
Could you possibly support “Authenticate by default” with a “fallback to the local realm”?
It would be nice to have certain users attached to a particular realm realm1 but have
Keycloak internally attempt to authenticate first against another realm so you can get the
effect of a union of the users across the two realms. The user experience with the
federation buttons as an alternative makes this configuration complexity exposed to the
user and I’d prefer to not have to do that.
-Jason
From:
<keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>
on behalf of Marek Posolda <mposolda@redhat.com<mailto:mposolda@redhat.com>>
Date: Wednesday, February 24, 2016 at 11:25 PM
To: Sarp Kaya <akaya@expedia.com<mailto:akaya@expedia.com>>,
"keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>"
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] SSO amongst two realms
It's possible to achieve something like this with identity provider. You can create
identityProvider in realm2, which will authenticate against realm1. In that case, there
will be button in login screen of realm2 like "Login with realm1" and when user
clicks on this, he will be logged-in automatically. There is also possibility to use
switch "Authenticate by default" in identity provider and then login screen of
realm2 won't be shown, but instead it will always automatically redirect to realm1
login screen.
The thing is, that you will end with duplicated user accounts (Account of user
"john" will be in both realm1 and realm2). AFAIK we plan to improve this in the
future to have this use-case more "friendly" as more people ask about that.
Marek
On 25/02/16 01:39, Sarp Kaya wrote:
Hi,
I want to know whether it is possible to have SSO amongst two realms. Ie User 1 logins to
an app1 that auths against realm1, then user 1 tries to use app2 which auths against
realm2 which should work fine as user 1 logged into realm1 before and it should SSO into
app2 fine.
If this is possible then what would be the setup like?
Kind Regards,
Sarp
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:58 a.m.
Right now you can federate user storage from one or more sources
(including keycloak storage). But, it has zero sophistication for
ordering other than whichever one is listed first. And there is no SPI
to plug into to do this. We hope to get back to feature development
soon, but we're currently busy polishing up our current codebase.
On 4/8/2016 11:47 AM, Jason Axley wrote:
Assume these are the users in each realm:
realm1 : [ “jaxley”, “nancy” ]
realm2 : [ “LDAP:foouser@example.org”, “SAML:baruser@example.org" ]
If realm1 configuration == "Authenticate against realm2 with fallback
to local realm (realm1)”
AND A User tries to log in, then authenticate the user against realm2
first (internally); if the user is not found or fails, try against the
local realm realm1. If that succeeds, that is the user and they are
now authenticated.
Thus, if foouser(a)example.org tried to log into realm1, they would be
tried in realm2 first (their home realm).
But if “jaxley” tried to log into realm1, an attempt would be made
against realm2 and fail (no “jaxley” there), then an attempt against
realm1 would be made. If that succeeds, that is the user and they are
now authenticated.
What I want to be able to do is to maintain a set of users inside a
Keycloak realm, but I want to still be able to create multiple
additional realms to represent different configurations (e.g.
Internal-facing vs. external-facing). The challenge is how when
applications use those additional realms to authenticate can we
seamlessly allow authentication in our preferred order of searching.
I’d hate to have the official answer to be to use the APIs to write a
login UI ourselves…
This kind of “preferred order of authentication sources” capability as
a declarative configuration option is a feature of many commercial IdM
and authentication tools. The conflict between users with the same
login ID across realms is either resolved by fully qualifying the user
IDs or using the search order to make some sources weighted higher in
the search path so those win.
-Jason
From: Stian Thorgersen <sthorger(a)redhat.com <mailto:sthorger@redhat.com>>
Reply-To: "stian(a)redhat.com <mailto:stian@redhat.com>"
<stian(a)redhat.com <mailto:stian@redhat.com>>
Date: Thursday, April 7, 2016 at 10:05 PM
To: Jason Axley <jaxley(a)expedia.com <mailto:jaxley@expedia.com>>
Cc: Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>>,
Sarp Kaya <akaya(a)expedia.com <mailto:akaya@expedia.com>>,
"keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>"
<keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] SSO amongst two realms
Can you elaborate on how you imagine "fallback to the local realm"
would work?
On 7 April 2016 at 21:59, Jason Axley <jaxley(a)expedia.com
<mailto:jaxley@expedia.com>> wrote:
Could you possibly support “Authenticate by default” with a
“fallback to the local realm”? It would be nice to have certain
users attached to a particular realm realm1 but have Keycloak
internally attempt to authenticate first against another realm so
you can get the effect of a union of the users across the two
realms. The user experience with the federation buttons as an
alternative makes this configuration complexity exposed to the
user and I’d prefer to not have to do that.
-Jason
From: <keycloak-user-bounces(a)lists.jboss.org
<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Marek
Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>>
Date: Wednesday, February 24, 2016 at 11:25 PM
To: Sarp Kaya <akaya(a)expedia.com <mailto:akaya@expedia.com>>,
"keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>"
<keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] SSO amongst two realms
It's possible to achieve something like this with identity
provider. You can create identityProvider in realm2, which will
authenticate against realm1. In that case, there will be button in
login screen of realm2 like "Login with realm1" and when user
clicks on this, he will be logged-in automatically. There is also
possibility to use switch "Authenticate by default" in identity
provider and then login screen of realm2 won't be shown, but
instead it will always automatically redirect to realm1 login screen.
The thing is, that you will end with duplicated user accounts
(Account of user "john" will be in both realm1 and realm2). AFAIK
we plan to improve this in the future to have this use-case more
"friendly" as more people ask about that.
Marek
On 25/02/16 01:39, Sarp Kaya wrote:
> Hi,
>
> I want to know whether it is possible to have SSO amongst two
> realms. Ie User 1 logins to an app1 that auths against realm1,
> then user 1 tries to use app2 which auths against realm2 which
> should work fine as user 1 logged into realm1 before and it
> should SSO into app2 fine.
>
> If this is possible then what would be the setup like?
>
> Kind Regards,
> Sarp
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
<mailto:keycloak-user@lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3251
days inactive
3294
days old
6 comments
5 participants
participants (5)
-
Bill Burke -
Jason Axley -
Marek Posolda -
Sarp Kaya -
Stian Thorgersen