That's great Bill. Can't wait to try out the claims piece. I will send out a
separate email with my feedback.
From: Bill Burke <bburke(a)redhat.com>
To: Raghu Prabhala <prabhalar(a)yahoo.com>; "keycloak-user(a)lists.jboss.org"
<keycloak-user(a)lists.jboss.org>
Sent: Sunday, February 15, 2015 11:33 AM
Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
Working on claims right now. Should have something end of next week.
Can you think of anything that would make kerberos or any other feature
easier to configure or use? Your feedback would be a great help.
On 2/14/2015 5:03 PM, Raghu Prabhala wrote:
Bill - Just wanted to let you know the Identity Broker currently
being
built meets my requirements. I have successfully tested out a complex
scenario (given below) involving both SPNEGO as well as SAML Service
Provider functionality
1) KC on two hosts acting as SAML IDP using SPNEGO as Identity Broker.
2) KC on another host acting as SAML SP communicating with IDP (Point
1) and a client using OpenID Connect (Point 3)
3) A Client application communicating with KC (refer to Point 2) using
OpenID Connect
Any user accessing the client application will now be seamlessly
authenticated without entering password. Now I am looking for the
"custom profiles" functionality which would help me move forward. Just
to reiterate my requirement - once the user is authenticated, I would
like to make a LDAP call (in some cases multiple calls to different
repositories) to retrieve all user information that should eventually be
populated in the SAML claims or OIDC id_token selectively.
A big thank you to you and the entire dev team for accommodating our
requests :-). Great Job!!!
Regards,
Raghu
------------------------------------------------------------------------
*From:* Raghu Prabhala <prabhalar(a)yahoo.com>
*To:* Bill Burke <bburke(a)redhat.com>; "keycloak-user(a)lists.jboss.org"
<keycloak-user(a)lists.jboss.org>
*Sent:* Monday, February 9, 2015 8:13 AM
*Subject:* Re: [keycloak-user] Keycloak 1.1.0.Final Released
I think that would satisfy my requirements - but not sure until I see
that bridge along with the Identity broker functionality in the next
beta release - eagerly waiting for it.
------------------------------------------------------------------------
*From:* Bill Burke <bburke(a)redhat.com>
*To:* keycloak-user(a)lists.jboss.org
*Sent:* Friday, February 6, 2015 10:21 AM
*Subject:* Re: [keycloak-user] Keycloak 1.1.0.Final Released
Keycloak won't be a kerberos server any time soon, if ever. We are
creating a SAML/OIDC to kerberos bridge though.
On 1/30/2015 10:52 AM, Raghu Prabhala wrote:
> Unfortunately yes. Kerberos is deeply ingrained in most of internal
applications/processes. While we can ask any new applications to use
certificates, we have to support Kerberos.
>
> If that is not something that you will support, probably identity
brokering would help. I can write a Kerberos broker as long as it is
given control ( need http request) immediately by Keycloak, perhaps I
can handle both authentication with key tabs (for system accts) as well
as SPNEGO for users
>
> Sent from my iPhone
>
>> On Jan 30, 2015, at 9:01 AM, Stian Thorgersen <stian(a)redhat.com
<mailto:stian@redhat.com>> wrote:
>>
>>
>>
>> ----- Original Message -----
>>> From: "Raghu Prabhala" <prabhalar(a)yahoo.com
<mailto:prabhalar@yahoo.com>>
>>> To: "Stian Thorgersen" <stian(a)redhat.com
<mailto:stian@redhat.com>>
>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>>, "keycloak-user"
<keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>>
>>> Sent: Friday, 30 January, 2015 2:44:14 PM
>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
>>>
>>> Great. Looking forward to the 1.2 Beta version.
>>> Regarding the system account support, from my perspective, it is very
>>> important because we have thousands of applications that interact
with each
>>> other using system accounts (authentication with Kerberos with
keytabs) and
>>> till we have that functionality, we will not be able to consider
Keycloak as
>>> a SSO solution even though it is coming out to be a good product.
The sooner
>>> we have it, the better. Hopefully, even other users will pitch in
to request
>>> that functionality so that you can bump it up in your priority list.
>>> Thanks once again.Raghu
>>
>> For your use-case would it have to be Kerberos? Only options we've
been considering are certificates and jwt/jws.
>>
>>> From: Stian Thorgersen <stian(a)redhat.com
<mailto:stian@redhat.com>>
>>> To: Raghu Prabhala <prabhalar(a)yahoo.com
<mailto:prabhalar@yahoo.com>>
>>> Cc: keycloak dev <keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>>; keycloak-user
>>> <keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>>
>>> Sent: Friday, January 30, 2015 2:10 AM
>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
>>>
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Raghu Prabhala" <prabhalar(a)yahoo.com
<mailto:prabhalar@yahoo.com>>
>>>> To: "Stian Thorgersen" <stian(a)redhat.com
<mailto:stian@redhat.com>>
>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>>, "keycloak-user"
>>>> <keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>>
>>>> Sent: Thursday, January 29, 2015 6:44:11 PM
>>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
>>>>
>>>> Congrats Keycloak team. A great deal of features in this release -
really
>>>> like SAML and clustering.
>>>>
>>>> But what I am really looking for is the next release as we need
all the
>>>> features you listed -any tentative dates for the beta version?
>>>
>>> We might do a beta soon, but that'll only include identity
brokering. The
>>> other features will be at least a month away.
>>>
>>>>
>>>> The functionality provided so far seems to be targeted toward users
>>>> accounts.
>>>> When can we expect support for System accounts (with diff auth
mechanisms
>>>> like certificates, Kerberos etc?
>>>
>>> Some time this year we aim to have system accounts with
certificates, it'll
>>> depend on priorities. We don't have any plans to support Kerberos
>>> authentication with system accounts, but maybe that makes sense to
add as
>>> well.
>>>
>>>
>>>
>>>>
>>>> Thanks,
>>>> Raghu
>>>>
>>>> Sent from my iPhone
>>>>
>>>>> On Jan 29, 2015, at 2:11 AM, Stian Thorgersen <stian(a)redhat.com
<mailto:stian@redhat.com>> wrote:
>>>>>
>>>>> The Keycloak team is proud to announce the release of Keycloak
>>>>> 1.1.0.Final.
>>>>> Highlights in this release includes:
>>>>>
>>>>> * SAML 2.0
>>>>> * Clustering
>>>>> * Jetty, Tomcat and Fuse adapters
>>>>> * HTTP Security Proxy
>>>>> * Automatic migration of db schema
>>>>>
>>>>> We’re already started working on features for the next release.
Some
>>>>> exiting features coming soon includes:
>>>>>
>>>>> * Identity brokering
>>>>> * Custom user profiles
>>>>> * Kerberos
>>>>> * OpenID Connect interop
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com <
http://bill.burkecentral.com/>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>