[keycloak-dev] Support for SSO bridge with shared user base
Vlastimil Elias
velias at redhat.com
Fri Oct 9 05:39:20 EDT 2015
Hi,
I'd like to implement SSO bridge between Keycloak used for our website,
and other SAML 2 based SSO server used by another website.
Both SSO servers share common user base (user federation provider in
keycloak against same user store as the SAML SSO server).
What I want to achieve is that once user is logged in on other SAML SSO
server and then comes to Keycloak site I'd like to login him there
automatically.
What I can do is to configure SAML Identity Provider in Keycloak and
enable "Authenticate By Default" for it. But I think this will always
lead to user creation conflict in Keycloak as we share user base. I have
to somehow force this "SAML Identity Provider" in keycloak to directly
use existing Keycloak users instead of creating new one and linking to them.
Is this somehow achievable in Keycloak 1.5, eg. by development of some
extension? From what I know I think it s not achievable and feature must
be coded into keycloak core.
And one other question ;-)
When "Authenticate By Default" is used for some Identity Provider then I
believe that Keycloak redirects user's browser to this provider in
passive mode before showing own login page to get identity from it if
any. But what happen if the provider is unreachable? In this case user
finishes with erro page and is not able to login into Keycloak at all.
Is Keycloak able to detect provider failure and stop redirecting user
there?
Thanks in advance
Vlastimil
--
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team
More information about the keycloak-dev
mailing list