[keycloak-dev] Remove IDM entirely or keep Picketlink federation provider?

Bill Burke bburke at redhat.com
Wed Apr 8 10:03:16 EDT 2015

On 4/8/2015 9:59 AM, Marek Posolda wrote:
> On 8.4.2015 15:33, Stian Thorgersen wrote:
>> ----- Original Message -----
>>> From: "Marek Posolda" <mposolda at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Wednesday, 8 April, 2015 3:18:40 PM
>>> Subject: [keycloak-dev] Remove IDM entirely or keep Picketlink federation	provider?
>>> Not sure if we already decide about $subject. I am in the middle of
>>> forking LDAP from PLIDM and removing PLIDM dependency. Now I wonder if I
>>> should:
>>> 1) Remove PLIDM dependency entirely from whole codebase
>>> 2) Create the module with Picketlink FederationProvider, which won't be
>>> packaged in distribution by default. This can be separate package used
>>> on demand by EAP customers to migrate their PLIDM users into Keycloak
>>> users. This module will be the only place, which will be still dependent
>>> on PLIDM, but since it won't be in distribution by default, we can
>>> remove PLIDM dependency from appliance and war distributions.
>>> The reason I am asking is, that current LDAPFederationProvider can be
>>> quite easily converted into PicketlinkFederationProvider. But limitation
>>> is, that it will migrate just users. It won't migrate IDM roles into
>>> Keycloak roles..
>>> Or should I simply go with (1) and don't care about the migration for now?
>> As 2 can't do roles as well it's not really that useful. Also, since IDM is so flexible I can't see us providing one that works for everyone (if anyone?! at all). So maybe what we should do is to provide an example that users can fork/modify?
> Yeah, so maybe adding new example into examples/providers for that?
> I can try to do something by tomorrow, but not sure if I catch it. And
> next week I would like to start on persistent client grants. I guess
> it's not an issue to possibly postpone this to some later release?

I think it will help us tremendously in product if we have zero PL IDM 
dependencies.  As we discussed in meetings, Picketlink is not going to 
be upgraded in EAP7 and is a few versions back of the latest Picketlink. 
  Keycloak LDAP integration currently has dependencies on latest and 
greatest Picketlink.

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list