3:23 a.m.
Hi,
This question is slightly off-topic, I hope it's allowed to ask here.
We are using keycloak as an IdP, loving it. One of our sister institutes
is using another (openid connect / saml2 compatible) IdP.
Now a new project: Trying to achieve web SSO across both institutes, for
several web applications, mostly supporting only one single IdP.
We have made a PoC using keycloak's brokering function, and it worked
nicely. However, our sister institute prefers a SaaS solution.
I've done my googling, but terminology is confusingly different:
- onelogin ("trusted IdP")
- okta ("inbound federation")
- gluu ("inbound identity")
and obviously
- keycloak ("IdP brokering") (but not saas)
and I am not even sure that the above solution are really the same as
keycloak's IdP brokering, and that they would solve our SSO requirement.
(doing a PoC would be the next step)
So I am asking for recommendations from the guru's here. What are the
do's and don't for something like this? Perhaps suggestions what to look
for, what to avoid, what other products to take a look at, etc, etc.
Insights?
Thanks very much in advance, and again: apologies for being a bit
off-topic, hope not to offend anyone.
MJ
9:15 p.m.
Hello MJ,
Quick question: do you plan to decommission both your Keycloak and sister institute's
IdP, and migrate everything to a SaaS IdP? Or you want both your IdPs broker to SaaS? Or
is your sister institute going to migrate to SaaS IdP, and you have to broker to it from
your Keycloak?
All the options are viable and will do the job. As always, each has benefits and
drawbacks.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Tue, 2018-11-13 at 10:23 +0100, mj wrote:
Hi,
This question is slightly off-topic, I hope it's allowed to ask here.
We are using keycloak as an IdP, loving it. One of our sister institutes
is using another (openid connect / saml2 compatible) IdP.
Now a new project: Trying to achieve web SSO across both institutes, for
several web applications, mostly supporting only one single IdP.
We have made a PoC using keycloak's brokering function, and it worked
nicely. However, our sister institute prefers a SaaS solution.
I've done my googling, but terminology is confusingly different:
- onelogin ("trusted IdP")
- okta ("inbound federation")
- gluu ("inbound identity")
and obviously
- keycloak ("IdP brokering") (but not saas)
and I am not even sure that the above solution are really the same as
keycloak's IdP brokering, and that they would solve our SSO requirement.
(doing a PoC would be the next step)
So I am asking for recommendations from the guru's here. What are the
do's and don't for something like this? Perhaps suggestions what to look
for, what to avoid, what other products to take a look at, etc, etc.
Insights?
Thanks very much in advance, and again: apologies for being a bit
off-topic, hope not to offend anyone.
MJ
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:37 a.m.
Hi Dmitri,
Thanks for your follow-up.
The idea is to both keep our current IdP's, and use an 'umbrella'
brokering IdP for the applications that need to be shared between the
two institutes.
It's just the brokering IdP that has to be SaaS.
We also just discovered Ping Identity, making our shortlist:
- PingIdentity
- OneLogin
- okta
- gluu
Anyone here with arguments against / in favour of / experience with one
of these options?
MJ
On 14-11-2018 4:15, Dmitry Telegin wrote:
Quick question: do you plan to decommission both your Keycloak and
sister institute's IdP, and migrate everything to a SaaS IdP? Or you
want both your IdPs broker to SaaS? Or is your sister institute going
to migrate to SaaS IdP, and you have to broker to it from your
Keycloak?
12:15 p.m.
Hi, you're welcome,
On Wed, 2018-11-14 at 18:37 +0100, lists wrote:
Hi Dmitri,
Thanks for your follow-up.
The idea is to both keep our current IdP's, and use an 'umbrella'
brokering IdP for the applications that need to be shared between the
two institutes.
It's just the brokering IdP that has to be SaaS.
Thanks for the info, it's clear now.
We also just discovered Ping Identity, making our shortlist:
- PingIdentity
- OneLogin
- okta
- gluu
Anyone here with arguments against / in favour of / experience with one
of these options?
I used to work with PingIdentity (or rather on-premise PingFederate) and Okta, using SAML
in both cases, and the results were perfect. For Okta, I'd recommend an excellent
article by Michael Furman [1]. Michael uses SAML too; don't know if you're going
to use SAML or OpenID Connect, but in the latter case the process should be similar.
Please read this [2] on the protocol choice.
NB you can use whatever combination of protocols you like (OIDC at Keycloak + SAML at Saas
IdP or vice versa), but probably unless you're seriously considering IdP-initiated
login. In that case, things work more smoothly with pure SAML.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
[1] https://ultimatesecurity.pro/post/okta-saml/
[2] https://www.keycloak.org/docs/latest/securing_apps/index.html#openid-conn...
MJ
On 14-11-2018 4:15, Dmitry Telegin wrote:
> Quick question: do you plan to decommission both your Keycloak and
> sister institute's IdP, and migrate everything to a SaaS IdP? Or you
> want both your IdPs broker to SaaS? Or is your sister institute going
> to migrate to SaaS IdP, and you have to broker to it from your
> Keycloak?
8:44 a.m.
Hi Dmitri,
Just to say thank you for your comments.
MJ
On 11/14/18 7:15 PM, Dmitry Telegin wrote:
I used to work with PingIdentity (or rather on-premise PingFederate)
and Okta, using SAML in both cases, and the results were perfect. For
Okta, I'd recommend an excellent article by Michael Furman [1].
Michael uses SAML too; don't know if you're going to use SAML or
OpenID Connect, but in the latter case the process should be similar.
Please read this [2] on the protocol choice.
NB you can use whatever combination of protocols you like (OIDC at
Keycloak + SAML at Saas IdP or vice versa), but probably unless
you're seriously considering IdP-initiated login. In that case,
things work more smoothly with pure SAML.
2242
days inactive
2248
days old
4 comments
3 participants
participants (3)
-
Dmitry Telegin -
lists -
mj