[keycloak-dev] Support for SSO bridge with shared user base

Vlastimil Elias velias at redhat.com
Mon Oct 12 03:59:41 EDT 2015 

Hi

On 9.10.2015 15:05, Bill Burke wrote:
> I'd rather have the appropriate SPIs be extended then have this feature
> native in keycloak as it seems very specific to your deployment.

yep, I agree, but I'm not sure which SPI should be extended.

It should be ideal to have some SPI responsible for reading/storing 
links between keycloak internal user and user from identity provider.
I think methods for this are now directly part of UserStore provider.
Moving these methods to separate SPI will allow storing links 
information independently (eg in another store or service) and also will 
allow implementation of special cases as is my one when usernames are 
same, or when eg. username off keycloak user is passed as some attribute 
from the identity provider.


> BTW, why not just point the SAML website to Keycloak?  Keycloak supports
> SAML.

It's not possible due organizational reasons. SAML SSO server is managed 
by other department and other websites have agreement with that 
department, not with us ;-)

Thanks

Vlastimil

>
> On 10/9/2015 5:39 AM, Vlastimil Elias wrote:
>> Hi,
>>
>>
>> I'd like to implement SSO bridge between Keycloak used for our website,
>> and other SAML 2 based SSO server used by another website.
>>
>> Both SSO servers share common user base (user federation provider in
>> keycloak against same user store as the SAML SSO server).
>>
>> What I want to achieve is that once user is logged in on other SAML SSO
>> server and then comes to Keycloak site I'd like to login him there
>> automatically.
>>
>> What I can do is to configure SAML Identity Provider in Keycloak and
>> enable "Authenticate By Default" for it. But I think this will always
>> lead to user creation conflict in Keycloak as we share user base. I have
>> to somehow force this "SAML Identity Provider" in keycloak to directly
>> use existing Keycloak users instead of creating new one and linking to them.
>>
>> Is this somehow achievable in Keycloak 1.5, eg. by development of some
>> extension? From what I know I think it s not achievable and feature must
>> be coded into keycloak core.
>>
>>
>> And one other question ;-)
>> When "Authenticate By Default" is used for some Identity Provider then I
>> believe that Keycloak redirects user's browser to this provider in
>> passive mode before showing own login page to get identity from it if
>> any. But what happen if the provider is unreachable? In this case user
>> finishes with erro page and is not able to login into Keycloak at all.
>> Is Keycloak able to detect provider failure and stop redirecting user
>> there?
>>
>> Thanks in advance
>>
>> Vlastimil
>>

-- 
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team

More information about the keycloak-dev mailing list