[keycloak-dev] Support for SSO bridge with shared user base

Josh Cain jcain at redhat.com
Fri Oct 9 09:22:59 EDT 2015


We've got a similar use case - an externally managed SAML IDP is sending
users our way, and we need to map them to an existing user base.  There are
no attributes that we can definitively use to map our users to incoming
users from the external SAML IDP.  We currently allow the users to
authenticate on our side on their first trip, then store an association
between internal/external users.  This association is used on subsequent
trips so that users don't have to sign in again.  We've currently got this
working in Picketlink, but will need to accommodate this use case with the
keycloak migration coming up in the future.

To your question of pointing the SAML website to keycloak, it is a third
party's IDP.

Is this sort of thing really that uncommon?  I'd imagine we're not the only
ones without a definitive mapping attribute, or a many-one mapping.
Anyway, are the SPI's currently in place, or are there some out there that
would do the trick for this?

Thanks in advance!

Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735


On Fri, Oct 9, 2015 at 9:05 AM, Bill Burke <bburke at redhat.com> wrote:

> I'd rather have the appropriate SPIs be extended then have this feature
> native in keycloak as it seems very specific to your deployment.
>
> BTW, why not just point the SAML website to Keycloak?  Keycloak supports
> SAML.
>
> On 10/9/2015 5:39 AM, Vlastimil Elias wrote:
> > Hi,
> >
> >
> > I'd like to implement SSO bridge between Keycloak used for our website,
> > and other SAML 2 based SSO server used by another website.
> >
> > Both SSO servers share common user base (user federation provider in
> > keycloak against same user store as the SAML SSO server).
> >
> > What I want to achieve is that once user is logged in on other SAML SSO
> > server and then comes to Keycloak site I'd like to login him there
> > automatically.
> >
> > What I can do is to configure SAML Identity Provider in Keycloak and
> > enable "Authenticate By Default" for it. But I think this will always
> > lead to user creation conflict in Keycloak as we share user base. I have
> > to somehow force this "SAML Identity Provider" in keycloak to directly
> > use existing Keycloak users instead of creating new one and linking to
> them.
> >
> > Is this somehow achievable in Keycloak 1.5, eg. by development of some
> > extension? From what I know I think it s not achievable and feature must
> > be coded into keycloak core.
> >
> >
> > And one other question ;-)
> > When "Authenticate By Default" is used for some Identity Provider then I
> > believe that Keycloak redirects user's browser to this provider in
> > passive mode before showing own login page to get identity from it if
> > any. But what happen if the provider is unreachable? In this case user
> > finishes with erro page and is not able to login into Keycloak at all.
> > Is Keycloak able to detect provider failure and stop redirecting user
> > there?
> >
> > Thanks in advance
> >
> > Vlastimil
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151009/ffb0e1ea/attachment.html 


More information about the keycloak-dev mailing list