[keycloak-dev] can we get away with federating user/cred only?

[Stian Thorgersen]

When it comes to enterprises I think having multiple options to best integrate into whatever ecosystem they already have in place.

With that in mind, when possible I think syncing to/from LDAP would be great. Keycloak store would in most cases provide more information than the LDAP store in those cases. For example role mappings.

If we design a sync SPI that would allow users to do their own to integrate with whatever they currently have. Be it LDAP, a relational database, or any other solutions. The SPI could have a read only, as well as a read/write option.

Also I think it makes sense to add support auth brokering. Again through an auth SPI. I imagine this would work by letting a realm use a different source to validate credentials. A very crude auth SPI could look like:

  public boolean isAuthenticated(String username, Credential... credentials) {
  }

Some auth providers could only work for some credentials. For example an LDAP could be used to verify the username/password, then Keycloak to verify TOTP, while roles and other user profile data retrieve from the Keycloak store.

The same auth SPI could be used to add support for additional OTP mechanisms (email, smtp, yubikey, you name it).

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Monday, 27 January, 2014 5:12:48 PM
> Subject: [keycloak-dev] can we get away with federating user/cred only?
> 
> Can we get away with federating user and credentials only?  Only store
> those in LDAP/AD?  Would sure make our lives a lot easier and this may
> cover 80% of deployments that need it?
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>