[keycloak-dev] SAML as social login?

Bill Burke bburke at redhat.com
Tue Feb 4 10:26:49 EST 2014

I guess this would be interesting in the case where your federated IDP 
didn't have role and session mgmt, single sign off, oauth/openid connect 
support?  Would Keycloak offer enough value add in this scenario?

On 2/4/2014 7:30 AM, Stian Thorgersen wrote:
> In theory that should work. The social login feature at the moment has only been tested for OAuth and OAuth2 providers, so may need some tweaking for a SAML provider.
> We're also assuming that a social provider is able to retrieve a basic user profile (https://github.com/keycloak/keycloak/blob/master/social/google/src/main/java/org/keycloak/social/google/GoogleProvider.java#L85), but you could just return a username and require users to update their profile on first social login ("Update profile on first social login" option on realm settings in admin console).
> In the future we plan to provide support for federation of authentication (other Keycloak realms, SAML, LDAP, etc.), but this is a good way to get something working with what Keycloak provides at the moment.
> By the way at the moment the admin console has a hard-coded list of social providers, but in the next release this will be dynamic. So all you'd need is to add a jar that implements the social provider spi, and it will be available to configure it for a realm through the admin console.
> ----- Original Message -----
>> From: "Matt Casperson" <mcaspers at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Sunday, 2 February, 2014 8:56:48 PM
>> Subject: [keycloak-dev] SAML as social login?
>> If I am reading
>> https://github.com/keycloak/keycloak/blob/master/social/google/src/main/java/org/keycloak/social/google/GoogleProvider.java
>> correctly, the only thing needed for a Keycloak social login is a URL to a
>> login page that the user can be directed to when they are not logged in, and
>> to have that login page send back a response that Keycloak can use to verify
>> the user and get their details.
>> So if I had appropriate permissions to use https://saml.redhat.com/idp/,
>> could that be added as a social login?
>> Regards
>> Matthew Casperson
>> RHCE, RHCJA # 111-072-237
>> Engineering Content Services
>> Brisbane, Australia
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list