2:05 p.m.
We are planning on using Keycloak to authenticate users in our environment. There will
be multiple sources of user logins.
1. Local to Keycloak
2. Using a Federation provider to pull accounts from on a one time basis (The first
time the user logs in they will authenticate using the p/w in the Federation server, and
subsequent logins will occur entirely in Keycloak)
3. Using a third party IDP (Like Microsoft/ Google/ etc.) But the initial source
of these accounts might be local in keycloak.
I of course can do #1, and know how to do #2. For #3 I have the external 3Rd party IDP
working.
But what we would like to have is this:
1. A user goes to a form in which they enter the username only.
2. If the user is new, it asks them to create an account
3. If the user is new, but we know the login to be associated with a third party
IDP, we go there, and link the account.
4. If the user is not new, and if they are linked to third party IDP, it
automatically loads that IDP page without having to pick that login.
Here is the workflow we are thinking.
An admin adds a list of accounts (either csv, or somehow else) into keycloak, but it says
that all these accounts need to be authenticated by some third part IDP. So when a user
logs into Keycloak and enters their password, it automatically redirects the user to the
3rd part IDP and then associates the local keycloak login with the IDP without having to
do too much.
Does this make sense?
Reed Lewis
Disclaimer
The information contained in this communication from the sender is confidential. It is
intended solely for use by the recipient and others authorized to receive it. If you are
not the recipient, you are hereby notified that any disclosure, copying, distribution or
taking action in relation of the contents of this information is strictly prohibited and
may be unlawful.
This email has been scanned for viruses and malware, and may have been automatically
archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business.
Providing a safer and more useful place for your human generated data. Specializing in;
Security, archiving and compliance. To find out more visit the Mimecast website.
8:38 a.m.
We've been wanting to add something along those lines out of the box, but
haven't had the time to work on it. We didn't consider the addition of
asking users to create an account if the username was not there, but that
would be a nice option. We where also thinking about doing the redirect to
IdP based on email domain rather than a list of usernames. I.e. all @
mycorp.com gets redirected to sso.mycorp.com. Both options would be nice
though.
It's a fair bit of work though as we need to have an option on a realm to
have a "username first" option. Then it has impacts on the default
authentication flows as we may need to different flows out of the box.
You could consider contributing this or you could develop your own custom
authentication flow that does it for you exactly how you want it.
On 27 December 2016 at 21:05, Reed Lewis <RLewis(a)carbonite.com> wrote:
We are planning on using Keycloak to authenticate users in our
environment. There will be multiple sources of user logins.
1. Local to Keycloak
2. Using a Federation provider to pull accounts from on a one time
basis (The first time the user logs in they will authenticate using the p/w
in the Federation server, and subsequent logins will occur entirely in
Keycloak)
3. Using a third party IDP (Like Microsoft/ Google/ etc.) But the
initial source of these accounts might be local in keycloak.
I of course can do #1, and know how to do #2. For #3 I have the
external 3Rd party IDP working.
But what we would like to have is this:
1. A user goes to a form in which they enter the username only.
2. If the user is new, it asks them to create an account
3. If the user is new, but we know the login to be associated with a
third party IDP, we go there, and link the account.
4. If the user is not new, and if they are linked to third party
IDP, it automatically loads that IDP page without having to pick that login.
Here is the workflow we are thinking.
An admin adds a list of accounts (either csv, or somehow else) into
keycloak, but it says that all these accounts need to be authenticated by
some third part IDP. So when a user logs into Keycloak and enters their
password, it automatically redirects the user to the 3rd part IDP and then
associates the local keycloak login with the IDP without having to do too
much.
Does this make sense?
Reed Lewis
Disclaimer
The information contained in this communication from the sender is
confidential. It is intended solely for use by the recipient and others
authorized to receive it. If you are not the recipient, you are hereby
notified that any disclosure, copying, distribution or taking action in
relation of the contents of this information is strictly prohibited and may
be unlawful.
This email has been scanned for viruses and malware, and may have been
automatically archived by Mimecast Ltd, an innovator in Software as a
Service (SaaS) for business. Providing a safer and more useful place for
your human generated data. Specializing in; Security, archiving and
compliance. To find out more visit the Mimecast website.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3298
days inactive
3304
days old
1 comments
2 participants
participants (2)
-
Reed Lewis -
Stian Thorgersen