[keycloak-dev] SAML as social login?

Bill Burke bburke at redhat.com
Tue Feb 4 16:06:24 EST 2014 

Thanks for the input!

On 2/4/2014 3:57 PM, Matt Casperson wrote:
> The value KeyCloak offers us (if I understand correctly) is that we can
> build applications against KeyCloak and not have to worry about where
> the users details eventually come from. In our local deployment,
> KeyCloak might be nothing more than a middleman between our application
> and an existing SSO solution. But it is nice to be able to support other
> deployment scenarios where KeyCloak is used as a complete and
> independent security solution, with no changes to our code.
>
> So it is very valuable to us to have a project like KeyCloak providing a
> sliding scale solution from "just bouncing messages between the browser
> and the existing user database" to "we have no existing user database,
> so KeyCloak has to do everything" with little more than a few toggles in
> a UI.
>
> Regards
>
> Matthew Casperson
> RHCE, RHCJA # 111-072-237
> <https://www.redhat.com/wapps/training/certification/verify.html?certNumber=111-072-237&isSearch=False&verify=Verify>
> Engineering Content Services
> Brisbane, Australia
>
> ------------------------------------------------------------------------
> *From: *"Bill Burke" <bburke at redhat.com>
> *To: *keycloak-dev at lists.jboss.org
> *Sent: *Wednesday, 5 February, 2014 1:26:49 AM
> *Subject: *Re: [keycloak-dev] SAML as social login?
>
> I guess this would be interesting in the case where your federated IDP
> didn't have role and session mgmt, single sign off, oauth/openid connect
> support?  Would Keycloak offer enough value add in this scenario?
>
> On 2/4/2014 7:30 AM, Stian Thorgersen wrote:
>  > In theory that should work. The social login feature at the moment
> has only been tested for OAuth and OAuth2 providers, so may need some
> tweaking for a SAML provider.
>  >
>  > We're also assuming that a social provider is able to retrieve a
> basic user profile
> (https://github.com/keycloak/keycloak/blob/master/social/google/src/main/java/org/keycloak/social/google/GoogleProvider.java#L85),
> but you could just return a username and require users to update their
> profile on first social login ("Update profile on first social login"
> option on realm settings in admin console).
>  >
>  > In the future we plan to provide support for federation of
> authentication (other Keycloak realms, SAML, LDAP, etc.), but this is a
> good way to get something working with what Keycloak provides at the moment.
>  >
>  > By the way at the moment the admin console has a hard-coded list of
> social providers, but in the next release this will be dynamic. So all
> you'd need is to add a jar that implements the social provider spi, and
> it will be available to configure it for a realm through the admin console.
>  >
>  > ----- Original Message -----
>  >> From: "Matt Casperson" <mcaspers at redhat.com>
>  >> To: keycloak-dev at lists.jboss.org
>  >> Sent: Sunday, 2 February, 2014 8:56:48 PM
>  >> Subject: [keycloak-dev] SAML as social login?
>  >>
>  >> If I am reading
>  >>
> https://github.com/keycloak/keycloak/blob/master/social/google/src/main/java/org/keycloak/social/google/GoogleProvider.java
>  >> correctly, the only thing needed for a Keycloak social login is a
> URL to a
>  >> login page that the user can be directed to when they are not logged
> in, and
>  >> to have that login page send back a response that Keycloak can use
> to verify
>  >> the user and get their details.
>  >>
>  >> So if I had appropriate permissions to use https://saml.redhat.com/idp/,
>  >> could that be added as a social login?
>  >>
>  >> Regards
>  >>
>  >> Matthew Casperson
>  >> RHCE, RHCJA # 111-072-237
>  >> Engineering Content Services
>  >> Brisbane, Australia
>  >>
>  >>
>  >> _______________________________________________
>  >> keycloak-dev mailing list
>  >> keycloak-dev at lists.jboss.org
>  >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>  > _______________________________________________
>  > keycloak-dev mailing list
>  > keycloak-dev at lists.jboss.org
>  > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>  >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list