11:47 p.m.
Hi,
Does Keycloak support some sort of Identity Brokering through X509? I
managed to configure the X509 Client Certificate, but it only replaces the
password, and requires the user to be already registered. What I would like
to achieve is to automatically register the users who present a valid X509
Certificate. Is that possible?
Best regards,
Thiago Presa
12:35 a.m.
Hi Thiago,
AFAIK x509 user authentication requires an existing user. Can you go into specifics what
your use case is?
--Peter
________________________________________
From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces(a)lists.jboss.org] on
behalf of Thiago Presa [thiago.addevico(a)gmail.com]
Sent: Tuesday, June 13, 2017 5:47 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] X509 Identity Brokering
Hi,
Does Keycloak support some sort of Identity Brokering through X509? I
managed to configure the X509 Client Certificate, but it only replaces the
password, and requires the user to be already registered. What I would like
to achieve is to automatically register the users who present a valid X509
Certificate. Is that possible?
Best regards,
Thiago Presa
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:23 p.m.
Hi Peter,
As I could grasp, currently the user would have to manually register
himself into the realm, providing a password for the access. After that, he
or she can use the certificate instead of the password to log into the
realm.
However, we would like users to log in only through valid X509
certificates. It seems a bit artificial to ask for a password that
ultimately won't be used. Can we avoid asking the password somehow?
Best regards,
Thiago Presa
On Tue, Jun 13, 2017 at 7:35 PM, Nalyvayko, Peter <pnalyvayko(a)agi.com>
wrote:
Hi Thiago,
AFAIK x509 user authentication requires an existing user. Can you go into
specifics what your use case is?
--Peter
________________________________________
From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces@lists.
jboss.org] on behalf of Thiago Presa [thiago.addevico(a)gmail.com]
Sent: Tuesday, June 13, 2017 5:47 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] X509 Identity Brokering
Hi,
Does Keycloak support some sort of Identity Brokering through X509? I
managed to configure the X509 Client Certificate, but it only replaces the
password, and requires the user to be already registered. What I would like
to achieve is to automatically register the users who present a valid X509
Certificate. Is that possible?
Best regards,
Thiago Presa
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:02 a.m.
Hi Thiago,
Have you considered using the LDAP identity provider in conjunction with X509 user
authentication? X509 contains an existing identity of a user so whoever's responsible
for issuing the certificate can pre-register the user by creating an LDAP record prior to
issuing the X509 cert to the user.
My $0.02
Regards,
Peter
________________________________________
From: Thiago Presa [thiago.addevico(a)gmail.com]
Sent: Wednesday, June 14, 2017 1:23 PM
To: Nalyvayko, Peter
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] X509 Identity Brokering
Hi Peter,
As I could grasp, currently the user would have to manually register himself into the
realm, providing a password for the access. After that, he or she can use the certificate
instead of the password to log into the realm.
However, we would like users to log in only through valid X509 certificates. It seems a
bit artificial to ask for a password that ultimately won't be used. Can we avoid
asking the password somehow?
Best regards,
Thiago Presa
On Tue, Jun 13, 2017 at 7:35 PM, Nalyvayko, Peter
<pnalyvayko@agi.com<mailto:pnalyvayko@agi.com>> wrote:
Hi Thiago,
AFAIK x509 user authentication requires an existing user. Can you go into specifics what
your use case is?
--Peter
________________________________________
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>
[keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>]
on behalf of Thiago Presa
[thiago.addevico@gmail.com<mailto:thiago.addevico@gmail.com>]
Sent: Tuesday, June 13, 2017 5:47 PM
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: [keycloak-user] X509 Identity Brokering
Hi,
Does Keycloak support some sort of Identity Brokering through X509? I
managed to configure the X509 Client Certificate, but it only replaces the
password, and requires the user to be already registered. What I would like
to achieve is to automatically register the users who present a valid X509
Certificate. Is that possible?
Best regards,
Thiago Presa
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:27 a.m.
I think the use-case of auto-registration makes sense and it will be
nice to add it as an optional feature to current X509 support. Could you
please create JIRA for it if it doesn't yet exists?
The bit similar usecase is Kerberos/SPNEGO authentication. That one has
support for auto-registration as it uses user storage provider
(typically LDAP, but standalone Kerberos is also supported), which has
support for auto-registration as long as registration is allowed for
LDAP storage provider.
Marek
On 15/06/17 03:02, Nalyvayko, Peter wrote:
Hi Thiago,
Have you considered using the LDAP identity provider in conjunction with X509 user
authentication? X509 contains an existing identity of a user so whoever's responsible
for issuing the certificate can pre-register the user by creating an LDAP record prior to
issuing the X509 cert to the user.
My $0.02
Regards,
Peter
________________________________________
From: Thiago Presa [thiago.addevico(a)gmail.com]
Sent: Wednesday, June 14, 2017 1:23 PM
To: Nalyvayko, Peter
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] X509 Identity Brokering
Hi Peter,
As I could grasp, currently the user would have to manually register himself into the
realm, providing a password for the access. After that, he or she can use the certificate
instead of the password to log into the realm.
However, we would like users to log in only through valid X509 certificates. It seems a
bit artificial to ask for a password that ultimately won't be used. Can we avoid
asking the password somehow?
Best regards,
Thiago Presa
On Tue, Jun 13, 2017 at 7:35 PM, Nalyvayko, Peter
<pnalyvayko@agi.com<mailto:pnalyvayko@agi.com>> wrote:
Hi Thiago,
AFAIK x509 user authentication requires an existing user. Can you go into specifics what
your use case is?
--Peter
________________________________________
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>
[keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>]
on behalf of Thiago Presa
[thiago.addevico@gmail.com<mailto:thiago.addevico@gmail.com>]
Sent: Tuesday, June 13, 2017 5:47 PM
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: [keycloak-user] X509 Identity Brokering
Hi,
Does Keycloak support some sort of Identity Brokering through X509? I
managed to configure the X509 Client Certificate, but it only replaces the
password, and requires the user to be already registered. What I would like
to achieve is to automatically register the users who present a valid X509
Certificate. Is that possible?
Best regards,
Thiago Presa
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2780
days inactive
2782
days old
4 comments
3 participants
participants (3)
-
Marek Posolda -
Nalyvayko, Peter -
Thiago Presa