1:14 a.m.
Hi community,
We currently have a setup of two Keycloak IDP's in completely different networks. That
means, both Keycloak instances cannot see each other. However, the user (from the
browser's point of perspective) can access both instances over a vpn connection. We
would now like to "connect" both keycloak instances over identity brokering in a
way that both instances can perform the authentication process without communicating
directly with each other (maybe indirectly through the user's browser). We set up IDP
brokering between both and everything worked fine to the point where the brokering
instance performs a call-back to the other instance which of course led to an
unknownhostexception.
The question is therefore: is there a way to pass user data between both keycloak
instances without direct communication but through a browser authentication flow. Or would
that be a security risk?
Regards
Jonathan
5:53 a.m.
Hello,
I am also interested in this.
At the moment, we implement this with SAML brokering which doesn't
require direct communication between keycloak instance.
This was not trivial to configure on both instance (especially
regarding signature), so if there is another way it would be great.
Regards,
Cédric
2018-01-29 8:14 GMT+01:00 Scheinmann, Jonathan <jonathan.scheinmann(a)dxc.com>:
Hi community,
We currently have a setup of two Keycloak IDP's in completely different networks.
That means, both Keycloak instances cannot see each other. However, the user (from the
browser's point of perspective) can access both instances over a vpn connection. We
would now like to "connect" both keycloak instances over identity brokering in a
way that both instances can perform the authentication process without communicating
directly with each other (maybe indirectly through the user's browser). We set up IDP
brokering between both and everything worked fine to the point where the brokering
instance performs a call-back to the other instance which of course led to an
unknownhostexception.
The question is therefore: is there a way to pass user data between both keycloak
instances without direct communication but through a browser authentication flow. Or would
that be a security risk?
Regards
Jonathan
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2537
days inactive
2537
days old
1 comments
2 participants
participants (2)
-
Cédric Couralet -
Scheinmann, Jonathan