11:08 p.m.
Good day,
With the upcoming Keycloak 1.10, I see SAML support has been added to
KeyCloak. Will it be possible to have Keycloak delegate to another IDP such
as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by
default for our JBoss deployments, but in certain cases, customers are
asking for integration with the MS Azure cloud authentication mechanisms.
Thanks in advance,
Guy
12:21 a.m.
----- Original Message -----
From: "Guy Davis" <guydavis.ca(a)gmail.com>
To: keycloak-user(a)lists.jboss.org
Sent: Wednesday, 21 January, 2015 6:08:50 AM
Subject: [keycloak-user] Delegated SAML authentication?
Good day,
With the upcoming Keycloak 1.10, I see SAML support has been added to
KeyCloak. Will it be possible to have Keycloak delegate to another IDP such
as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by default
for our JBoss deployments, but in certain cases, customers are asking for
integration with the MS Azure cloud authentication mechanisms.
It won't work for 1.1.0. We're working on that (identity brokering) for 1.2.0
where you'll be able to delegate to external OpenID Connect or SAML IdP's.
Thanks in advance,
Guy
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:45 a.m.
Pedro has it working in master. Won't be release until like March
though probably.
On 1/21/2015 1:21 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Guy Davis" <guydavis.ca(a)gmail.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Wednesday, 21 January, 2015 6:08:50 AM
> Subject: [keycloak-user] Delegated SAML authentication?
>
> Good day,
>
> With the upcoming Keycloak 1.10, I see SAML support has been added to
> KeyCloak. Will it be possible to have Keycloak delegate to another IDP such
> as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by default
> for our JBoss deployments, but in certain cases, customers are asking for
> integration with the MS Azure cloud authentication mechanisms.
It won't work for 1.1.0. We're working on that (identity brokering) for 1.2.0
where you'll be able to delegate to external OpenID Connect or SAML IdP's.
>
> Thanks in advance,
> Guy
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:05 a.m.
Bill - identity brokering is something that we need today. Is it possible to release an
alpha or beta version of that functionality earlier than March so that we can start
integration work now? Unfortunately we can't build from source and look for binaries
from you.
Thanks
Raghu
Sent from my iPhone
On Jan 21, 2015, at 9:45 AM, Bill Burke <bburke(a)redhat.com>
wrote:
Pedro has it working in master. Won't be release until like March
though probably.
> On 1/21/2015 1:21 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Guy Davis" <guydavis.ca(a)gmail.com>
>> To: keycloak-user(a)lists.jboss.org
>> Sent: Wednesday, 21 January, 2015 6:08:50 AM
>> Subject: [keycloak-user] Delegated SAML authentication?
>>
>> Good day,
>>
>> With the upcoming Keycloak 1.10, I see SAML support has been added to
>> KeyCloak. Will it be possible to have Keycloak delegate to another IDP such
>> as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by default
>> for our JBoss deployments, but in certain cases, customers are asking for
>> integration with the MS Azure cloud authentication mechanisms.
>
> It won't work for 1.1.0. We're working on that (identity brokering) for 1.2.0
where you'll be able to delegate to external OpenID Connect or SAML IdP's.
>
>>
>> Thanks in advance,
>> Guy
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:24 a.m.
----- Original Message -----
From: "Raghuram Prabhala" <prabhalar(a)yahoo.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Wednesday, January 21, 2015 6:05:30 PM
Subject: Re: [keycloak-user] Delegated SAML authentication?
Bill - identity brokering is something that we need today. Is it possible to
release an alpha or beta version of that functionality earlier than March so
that we can start integration work now? Unfortunately we can't build from
source and look for binaries from you.
Once we have 1.1.0.Final released, which is hopefully this or next week, we should be able
to release something.
Thanks
Raghu
Sent from my iPhone
> On Jan 21, 2015, at 9:45 AM, Bill Burke <bburke(a)redhat.com> wrote:
>
> Pedro has it working in master. Won't be release until like March
> though probably.
>
>> On 1/21/2015 1:21 AM, Stian Thorgersen wrote:
>>
>>
>> ----- Original Message -----
>>> From: "Guy Davis" <guydavis.ca(a)gmail.com>
>>> To: keycloak-user(a)lists.jboss.org
>>> Sent: Wednesday, 21 January, 2015 6:08:50 AM
>>> Subject: [keycloak-user] Delegated SAML authentication?
>>>
>>> Good day,
>>>
>>> With the upcoming Keycloak 1.10, I see SAML support has been added to
>>> KeyCloak. Will it be possible to have Keycloak delegate to another IDP
>>> such
>>> as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by
>>> default
>>> for our JBoss deployments, but in certain cases, customers are asking for
>>> integration with the MS Azure cloud authentication mechanisms.
>>
>> It won't work for 1.1.0. We're working on that (identity brokering) for
>> 1.2.0 where you'll be able to delegate to external OpenID Connect or SAML
>> IdP's.
>>
>>>
>>> Thanks in advance,
>>> Guy
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:22 a.m.
That would be great. Thank you vey much Stian. Just to give you more background and
provide you my wishlist for the short term. 1) Identity brokering that will help us
authenticate against diff stores. One of them would be Kerberos (SPNEGO). 2) Customization
of claims in both SAML as well OpenID Connect responses for each application (client)
-similar to what ADFS provides today for SAML. It provides a GUI to choose the store as
well as the attributes for each relying party and also to map those attribute names to
different values (cn can be mapped to "Name" for one client and "Full
Name" for another) which will be reflected in the claims sent to the relying party.3)
OpenID Connect Interop (Today some of the endpoints do not fully adhere to the Spec)
I believe you have all the above requests in your queue for 1.2 release or later but would
appreciate if you can squeeze them in the next cycle of binaries.
Regards,Raghu From: Stian Thorgersen <stian(a)redhat.com>
To: Raghuram Prabhala <prabhalar(a)yahoo.com>
Cc: Bill Burke <bburke(a)redhat.com>; keycloak-user(a)lists.jboss.org
Sent: Thursday, January 22, 2015 2:24 AM
Subject: Re: [keycloak-user] Delegated SAML authentication?
----- Original Message -----
From: "Raghuram Prabhala" <prabhalar(a)yahoo.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Wednesday, January 21, 2015 6:05:30 PM
Subject: Re: [keycloak-user] Delegated SAML authentication?
Bill - identity brokering is something that we need today. Is it possible to
release an alpha or beta version of that functionality earlier than March so
that we can start integration work now? Unfortunately we can't build from
source and look for binaries from you.
Once we have 1.1.0.Final released, which is hopefully this or next week, we should be able
to release something.
Thanks
Raghu
Sent from my iPhone
> On Jan 21, 2015, at 9:45 AM, Bill Burke <bburke(a)redhat.com> wrote:
>
> Pedro has it working in master. Won't be release until like March
> though probably.
>
>> On 1/21/2015 1:21 AM, Stian Thorgersen wrote:
>>
>>
>> ----- Original Message -----
>>> From: "Guy Davis" <guydavis.ca(a)gmail.com>
>>> To: keycloak-user(a)lists.jboss.org
>>> Sent: Wednesday, 21 January, 2015 6:08:50 AM
>>> Subject: [keycloak-user] Delegated SAML authentication?
>>>
>>> Good day,
>>>
>>> With the upcoming Keycloak 1.10, I see SAML support has been added to
>>> KeyCloak. Will it be possible to have Keycloak delegate to another IDP
>>> such
>>> as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by
>>> default
>>> for our JBoss deployments, but in certain cases, customers are asking for
>>> integration with the MS Azure cloud authentication mechanisms.
>>
>> It won't work for 1.1.0. We're working on that (identity brokering) for
>> 1.2.0 where you'll be able to delegate to external OpenID Connect or SAML
>> IdP's.
>>
>>>
>>> Thanks in advance,
>>> Guy
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:05 a.m.
----- Original Message -----
From: "Raghu Prabhala" <prabhalar(a)yahoo.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org
Sent: Thursday, January 22, 2015 2:22:51 PM
Subject: Re: [keycloak-user] Delegated SAML authentication?
That would be great. Thank you vey much Stian. Just to give you more
background and provide you my wishlist for the short term. 1) Identity
brokering that will help us authenticate against diff stores. One of them
would be Kerberos (SPNEGO). 2) Customization of claims in both SAML as well
OpenID Connect responses for each application (client) -similar to what ADFS
provides today for SAML. It provides a GUI to choose the store as well as
the attributes for each relying party and also to map those attribute names
to different values (cn can be mapped to "Name" for one client and "Full
Name" for another) which will be reflected in the claims sent to the relying
party.3) OpenID Connect Interop (Today some of the endpoints do not fully
adhere to the Spec)
I believe you have all the above requests in your queue for 1.2 release or
later but would appreciate if you can squeeze them in the next cycle of
binaries.
All of those are scheduled for the not so distant future, but I can't guarantee
they'll all be included in 1.2.
Regards,Raghu From: Stian Thorgersen <stian(a)redhat.com>
To: Raghuram Prabhala <prabhalar(a)yahoo.com>
Cc: Bill Burke <bburke(a)redhat.com>; keycloak-user(a)lists.jboss.org
Sent: Thursday, January 22, 2015 2:24 AM
Subject: Re: [keycloak-user] Delegated SAML authentication?
----- Original Message -----
> From: "Raghuram Prabhala" <prabhalar(a)yahoo.com>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Wednesday, January 21, 2015 6:05:30 PM
> Subject: Re: [keycloak-user] Delegated SAML authentication?
>
> Bill - identity brokering is something that we need today. Is it possible
> to
> release an alpha or beta version of that functionality earlier than March
> so
> that we can start integration work now? Unfortunately we can't build from
> source and look for binaries from you.
Once we have 1.1.0.Final released, which is hopefully this or next week, we
should be able to release something.
>
> Thanks
> Raghu
>
> Sent from my iPhone
>
> > On Jan 21, 2015, at 9:45 AM, Bill Burke <bburke(a)redhat.com> wrote:
> >
> > Pedro has it working in master. Won't be release until like March
> > though probably.
> >
> >> On 1/21/2015 1:21 AM, Stian Thorgersen wrote:
> >>
> >>
> >> ----- Original Message -----
> >>> From: "Guy Davis" <guydavis.ca(a)gmail.com>
> >>> To: keycloak-user(a)lists.jboss.org
> >>> Sent: Wednesday, 21 January, 2015 6:08:50 AM
> >>> Subject: [keycloak-user] Delegated SAML authentication?
> >>>
> >>> Good day,
> >>>
> >>> With the upcoming Keycloak 1.10, I see SAML support has been added to
> >>> KeyCloak. Will it be possible to have Keycloak delegate to another IDP
> >>> such
> >>> as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by
> >>> default
> >>> for our JBoss deployments, but in certain cases, customers are asking
> >>> for
> >>> integration with the MS Azure cloud authentication mechanisms.
> >>
> >> It won't work for 1.1.0. We're working on that (identity brokering)
for
> >> 1.2.0 where you'll be able to delegate to external OpenID Connect or
> >> SAML
> >> IdP's.
> >>
> >>>
> >>> Thanks in advance,
> >>> Guy
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
8:45 p.m.
Good to know. I'm looking forward to trying out Pedro's commit
<https://github.com/keycloak/keycloak/pull/913>;, particularly the SAML
integration with other IDPs. I'll try to build master and start asking
questions on the developer's list.
On Tue, Jan 20, 2015 at 11:21 PM, Stian Thorgersen <stian(a)redhat.com> wrote:
----- Original Message -----
> From: "Guy Davis" <guydavis.ca(a)gmail.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Wednesday, 21 January, 2015 6:08:50 AM
> Subject: [keycloak-user] Delegated SAML authentication?
>
> Good day,
>
> With the upcoming Keycloak 1.10, I see SAML support has been added to
> KeyCloak. Will it be possible to have Keycloak delegate to another IDP
such
> as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by
default
> for our JBoss deployments, but in certain cases, customers are asking for
> integration with the MS Azure cloud authentication mechanisms.
It won't work for 1.1.0. We're working on that (identity brokering) for
1.2.0 where you'll be able to delegate to external OpenID Connect or SAML
IdP's.
>
> Thanks in advance,
> Guy
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
3878
days inactive
3879
days old
7 comments
5 participants
participants (5)
-
Bill Burke -
Guy Davis -
Raghu Prabhala -
Raghuram Prabhala
-
Stian Thorgersen