1:51 p.m.
We have a need to pre-provision user accounts that are to be accessed with
SAML from an outside IdP. These accounts are only ever to be used via SAML
from this external IdP (i.e., we never want them to have to use a password
to verify anything to Keycloak.
Is there any way for the account-linking the first time the user comes in
with SAML to happen automatically and silently?
We understand that in some circumstances it would be a security hole to
allow someone to connect via a brokered IdP to an existing account that has
already been used, but these accounts are being created specifically to be
accessed by this particular broker.
Any help?
Thanks!
Regards,
Peter K. Boucher
3:38 a.m.
Not sure of your appetite for customization but you can create a copy of the first login
flow and remove or replace the execution steps you don't want.
As far as how you'll create or link the account if none of the existing executions
work, worst case you'd have to write your own.
________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
on behalf of Peter K. Boucher <pkboucher801(a)gmail.com>
Sent: Wednesday, August 23, 2017 2:51:48 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Skip Broker First-Time Flow?
We have a need to pre-provision user accounts that are to be accessed with
SAML from an outside IdP. These accounts are only ever to be used via SAML
from this external IdP (i.e., we never want them to have to use a password
to verify anything to Keycloak.
Is there any way for the account-linking the first time the user comes in
with SAML to happen automatically and silently?
We understand that in some circumstances it would be a security hole to
allow someone to connect via a brokered IdP to an existing account that has
already been used, but these accounts are being created specifically to be
accessed by this particular broker.
Any help?
Thanks!
Regards,
Peter K. Boucher
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:30 a.m.
+1 to what Phillip mentioned.
We were thinking for adding the authenticator OOTB, which will link
accounts automatically. But didn't added in the end because of security.
However you're not the first asking for it, so maybe it makes sense - as
long as this authenticator won't be in the flow by default and admin
would need to edit the first-broker-login flow on his own risk. Feel
free to create JIRA (maybe it already exists, so you can add comment
like "I want it too" and add vote :) )
Marek
On 24/08/17 10:38, Phillip Fleischer wrote:
Not sure of your appetite for customization but you can create a copy
of the first login flow and remove or replace the execution steps you don't want.
As far as how you'll create or link the account if none of the existing executions
work, worst case you'd have to write your own.
________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
on behalf of Peter K. Boucher <pkboucher801(a)gmail.com>
Sent: Wednesday, August 23, 2017 2:51:48 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Skip Broker First-Time Flow?
We have a need to pre-provision user accounts that are to be accessed with
SAML from an outside IdP. These accounts are only ever to be used via SAML
from this external IdP (i.e., we never want them to have to use a password
to verify anything to Keycloak.
Is there any way for the account-linking the first time the user comes in
with SAML to happen automatically and silently?
We understand that in some circumstances it would be a security hole to
allow someone to connect via a brokered IdP to an existing account that has
already been used, but these accounts are being created specifically to be
accessed by this particular broker.
Any help?
Thanks!
Regards,
Peter K. Boucher
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:08 a.m.
Not asking you to review/endorse this code, but does the approach seem reasonable?
https://github.com/ohioit/keycloak-link-idp-with-user
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Thursday, August 24, 2017 5:30 AM
To: Phillip Fleischer <pcfleischer(a)outlook.com>; Peter K. Boucher
<pkboucher801(a)gmail.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Skip Broker First-Time Flow?
+1 to what Phillip mentioned.
We were thinking for adding the authenticator OOTB, which will link
accounts automatically. But didn't added in the end because of security.
However you're not the first asking for it, so maybe it makes sense - as
long as this authenticator won't be in the flow by default and admin
would need to edit the first-broker-login flow on his own risk. Feel
free to create JIRA (maybe it already exists, so you can add comment
like "I want it too" and add vote :) )
Marek
On 24/08/17 10:38, Phillip Fleischer wrote:
Not sure of your appetite for customization but you can create a copy
of the first login flow and remove or replace the execution steps you don't want.
As far as how you'll create or link the account if none of the existing executions
work, worst case you'd have to write your own.
________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
on behalf of Peter K. Boucher <pkboucher801(a)gmail.com>
Sent: Wednesday, August 23, 2017 2:51:48 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Skip Broker First-Time Flow?
We have a need to pre-provision user accounts that are to be accessed with
SAML from an outside IdP. These accounts are only ever to be used via SAML
from this external IdP (i.e., we never want them to have to use a password
to verify anything to Keycloak.
Is there any way for the account-linking the first time the user comes in
with SAML to happen automatically and silently?
We understand that in some circumstances it would be a security hole to
allow someone to connect via a brokered IdP to an existing account that has
already been used, but these accounts are being created specifically to be
accessed by this particular broker.
Any help?
Thanks!
Regards,
Peter K. Boucher
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:29 a.m.
Yes.
Marek
On 25/08/17 15:08, Peter K. Boucher wrote:
Not asking you to review/endorse this code, but does the approach
seem reasonable? https://github.com/ohioit/keycloak-link-idp-with-user
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Thursday, August 24, 2017 5:30 AM
To: Phillip Fleischer <pcfleischer(a)outlook.com>; Peter K. Boucher
<pkboucher801(a)gmail.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Skip Broker First-Time Flow?
+1 to what Phillip mentioned.
We were thinking for adding the authenticator OOTB, which will link
accounts automatically. But didn't added in the end because of security.
However you're not the first asking for it, so maybe it makes sense - as
long as this authenticator won't be in the flow by default and admin
would need to edit the first-broker-login flow on his own risk. Feel
free to create JIRA (maybe it already exists, so you can add comment
like "I want it too" and add vote :) )
Marek
On 24/08/17 10:38, Phillip Fleischer wrote:
> Not sure of your appetite for customization but you can create a copy of the first
login flow and remove or replace the execution steps you don't want.
>
> As far as how you'll create or link the account if none of the existing
executions work, worst case you'd have to write your own.
>
> ________________________________
> From: keycloak-user-bounces(a)lists.jboss.org
<keycloak-user-bounces(a)lists.jboss.org> on behalf of Peter K. Boucher
<pkboucher801(a)gmail.com>
> Sent: Wednesday, August 23, 2017 2:51:48 PM
> To: keycloak-user(a)lists.jboss.org
> Subject: [keycloak-user] Skip Broker First-Time Flow?
>
> We have a need to pre-provision user accounts that are to be accessed with
> SAML from an outside IdP. These accounts are only ever to be used via SAML
> from this external IdP (i.e., we never want them to have to use a password
> to verify anything to Keycloak.
>
>
>
> Is there any way for the account-linking the first time the user comes in
> with SAML to happen automatically and silently?
>
>
>
> We understand that in some circumstances it would be a security hole to
> allow someone to connect via a brokered IdP to an existing account that has
> already been used, but these accounts are being created specifically to be
> accessed by this particular broker.
>
>
>
> Any help?
>
>
>
> Thanks!
>
>
>
> Regards,
>
> Peter K. Boucher
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
11:26 p.m.
Check out. https://github.com/ohioit/keycloak-link-idp-with-user
We use it to silently link users coming from another corporate IDP with our federated LDAP
accounts.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Marek Posolda
Sent: Friday, 25 August 2017 10:59 PM
To: Peter K. Boucher <pkboucher801(a)gmail.com>; 'Phillip Fleischer'
<pcfleischer(a)outlook.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Skip Broker First-Time Flow?
Yes.
Marek
On 25/08/17 15:08, Peter K. Boucher wrote:
Not asking you to review/endorse this code, but does the approach
seem
reasonable? https://github.com/ohioit/keycloak-link-idp-with-user
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Thursday, August 24, 2017 5:30 AM
To: Phillip Fleischer <pcfleischer(a)outlook.com>; Peter K. Boucher
<pkboucher801(a)gmail.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Skip Broker First-Time Flow?
+1 to what Phillip mentioned.
We were thinking for adding the authenticator OOTB, which will link
accounts automatically. But didn't added in the end because of security.
However you're not the first asking for it, so maybe it makes sense -
as long as this authenticator won't be in the flow by default and
admin would need to edit the first-broker-login flow on his own risk.
Feel free to create JIRA (maybe it already exists, so you can add
comment like "I want it too" and add vote :) )
Marek
On 24/08/17 10:38, Phillip Fleischer wrote:
> Not sure of your appetite for customization but you can create a copy of the first
login flow and remove or replace the execution steps you don't want.
>
> As far as how you'll create or link the account if none of the existing
executions work, worst case you'd have to write your own.
>
> ________________________________
> From: keycloak-user-bounces(a)lists.jboss.org
> <keycloak-user-bounces(a)lists.jboss.org> on behalf of Peter K. Boucher
> <pkboucher801(a)gmail.com>
> Sent: Wednesday, August 23, 2017 2:51:48 PM
> To: keycloak-user(a)lists.jboss.org
> Subject: [keycloak-user] Skip Broker First-Time Flow?
>
> We have a need to pre-provision user accounts that are to be accessed
> with SAML from an outside IdP. These accounts are only ever to be
> used via SAML from this external IdP (i.e., we never want them to
> have to use a password to verify anything to Keycloak.
>
>
>
> Is there any way for the account-linking the first time the user
> comes in with SAML to happen automatically and silently?
>
>
>
> We understand that in some circumstances it would be a security hole
> to allow someone to connect via a brokered IdP to an existing account
> that has already been used, but these accounts are being created
> specifically to be accessed by this particular broker.
>
>
>
> Any help?
>
>
>
> Thanks!
>
>
>
> Regards,
>
> Peter K. Boucher
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:43 a.m.
I also voted for https://issues.jboss.org/browse/KEYCLOAK-4240?_sscc=t
-----Original Message-----
From: Adam Keily [mailto:adam.keily@adelaide.edu.au]
Sent: Wednesday, August 30, 2017 12:27 AM
To: Marek Posolda <mposolda(a)redhat.com>; Peter K. Boucher
<pkboucher801(a)gmail.com>; 'Phillip Fleischer'
<pcfleischer(a)outlook.com>;
keycloak-user(a)lists.jboss.org
Subject: RE: [keycloak-user] Skip Broker First-Time Flow?
Check out. https://github.com/ohioit/keycloak-link-idp-with-user
We use it to silently link users coming from another corporate IDP with our
federated LDAP accounts.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Marek Posolda
Sent: Friday, 25 August 2017 10:59 PM
To: Peter K. Boucher <pkboucher801(a)gmail.com>; 'Phillip Fleischer'
<pcfleischer(a)outlook.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Skip Broker First-Time Flow?
Yes.
Marek
On 25/08/17 15:08, Peter K. Boucher wrote:
Not asking you to review/endorse this code, but does the approach
seem
reasonable? https://github.com/ohioit/keycloak-link-idp-with-user
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Thursday, August 24, 2017 5:30 AM
To: Phillip Fleischer <pcfleischer(a)outlook.com>; Peter K. Boucher
<pkboucher801(a)gmail.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Skip Broker First-Time Flow?
+1 to what Phillip mentioned.
We were thinking for adding the authenticator OOTB, which will link
accounts automatically. But didn't added in the end because of security.
However you're not the first asking for it, so maybe it makes sense -
as long as this authenticator won't be in the flow by default and
admin would need to edit the first-broker-login flow on his own risk.
Feel free to create JIRA (maybe it already exists, so you can add
comment like "I want it too" and add vote :) )
Marek
On 24/08/17 10:38, Phillip Fleischer wrote:
> Not sure of your appetite for customization but you can create a copy of
the
first login flow and remove or replace the execution steps you don't
want.
>
> As far as how you'll create or link the account if none of the existing
executions work, worst case you'd have to write your own.
>
> ________________________________
> From: keycloak-user-bounces(a)lists.jboss.org
> <keycloak-user-bounces(a)lists.jboss.org> on behalf of Peter K. Boucher
> <pkboucher801(a)gmail.com>
> Sent: Wednesday, August 23, 2017 2:51:48 PM
> To: keycloak-user(a)lists.jboss.org
> Subject: [keycloak-user] Skip Broker First-Time Flow?
>
> We have a need to pre-provision user accounts that are to be accessed
> with SAML from an outside IdP. These accounts are only ever to be
> used via SAML from this external IdP (i.e., we never want them to
> have to use a password to verify anything to Keycloak.
>
>
>
> Is there any way for the account-linking the first time the user
> comes in with SAML to happen automatically and silently?
>
>
>
> We understand that in some circumstances it would be a security hole
> to allow someone to connect via a brokered IdP to an existing account
> that has already been used, but these accounts are being created
> specifically to be accessed by this particular broker.
>
>
>
> Any help?
>
>
>
> Thanks!
>
>
>
> Regards,
>
> Peter K. Boucher
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:30 p.m.
Has anyone made https://github.com/ohioit/keycloak-link-idp-with-user work
with Keycloak 3.1.0.Final? It seems to have been designed for 1.9.0.Final
-----Original Message-----
From: Adam Keily [mailto:adam.keily@adelaide.edu.au]
Sent: Wednesday, August 30, 2017 12:27 AM
To: Marek Posolda <mposolda(a)redhat.com>; Peter K. Boucher
<pkboucher801(a)gmail.com>; 'Phillip Fleischer'
<pcfleischer(a)outlook.com>;
keycloak-user(a)lists.jboss.org
Subject: RE: [keycloak-user] Skip Broker First-Time Flow?
Check out. https://github.com/ohioit/keycloak-link-idp-with-user
We use it to silently link users coming from another corporate IDP with our
federated LDAP accounts.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Marek Posolda
Sent: Friday, 25 August 2017 10:59 PM
To: Peter K. Boucher <pkboucher801(a)gmail.com>; 'Phillip Fleischer'
<pcfleischer(a)outlook.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Skip Broker First-Time Flow?
Yes.
Marek
On 25/08/17 15:08, Peter K. Boucher wrote:
Not asking you to review/endorse this code, but does the approach
seem
reasonable? https://github.com/ohioit/keycloak-link-idp-with-user
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Thursday, August 24, 2017 5:30 AM
To: Phillip Fleischer <pcfleischer(a)outlook.com>; Peter K. Boucher
<pkboucher801(a)gmail.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Skip Broker First-Time Flow?
+1 to what Phillip mentioned.
We were thinking for adding the authenticator OOTB, which will link
accounts automatically. But didn't added in the end because of security.
However you're not the first asking for it, so maybe it makes sense -
as long as this authenticator won't be in the flow by default and
admin would need to edit the first-broker-login flow on his own risk.
Feel free to create JIRA (maybe it already exists, so you can add
comment like "I want it too" and add vote :) )
Marek
On 24/08/17 10:38, Phillip Fleischer wrote:
> Not sure of your appetite for customization but you can create a copy of
the
first login flow and remove or replace the execution steps you don't
want.
>
> As far as how you'll create or link the account if none of the existing
executions work, worst case you'd have to write your own.
>
> ________________________________
> From: keycloak-user-bounces(a)lists.jboss.org
> <keycloak-user-bounces(a)lists.jboss.org> on behalf of Peter K. Boucher
> <pkboucher801(a)gmail.com>
> Sent: Wednesday, August 23, 2017 2:51:48 PM
> To: keycloak-user(a)lists.jboss.org
> Subject: [keycloak-user] Skip Broker First-Time Flow?
>
> We have a need to pre-provision user accounts that are to be accessed
> with SAML from an outside IdP. These accounts are only ever to be
> used via SAML from this external IdP (i.e., we never want them to
> have to use a password to verify anything to Keycloak.
>
>
>
> Is there any way for the account-linking the first time the user
> comes in with SAML to happen automatically and silently?
>
>
>
> We understand that in some circumstances it would be a security hole
> to allow someone to connect via a brokered IdP to an existing account
> that has already been used, but these accounts are being created
> specifically to be accessed by this particular broker.
>
>
>
> Any help?
>
>
>
> Thanks!
>
>
>
> Regards,
>
> Peter K. Boucher
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2431
days inactive
2453
days old
7 comments
4 participants
participants (4)
-
Adam Keily -
Marek Posolda -
Peter K. Boucher -
Phillip Fleischer