[keycloak-user] External Registration Flow

Schneider, Tom tschneider at connecture.com
Wed Apr 8 10:01:57 EDT 2015


I originally proposed that we separate out the account registration to a separate screen from the additional business data entry and hop over to keycloak for the account registration part.  This would work, however, our business analysts would prefer to keep the user experience the same as it is today.

As far as replicating the exact same screen we have today, I would see issues with that.  We have dynamic headers, footers and side navigation functionality that would be difficult to implement in keycloak.  This is also part of a larger flow so we would need to be able to handle forward/back navigation buttons.  There is also quite a bit of additional data that we capture, so I could see future maintenance being an issue if we had to update keycloak every time we wanted to make changes.  It's a good thought, but unfortunately I think our page is too complex for that.

One thought I had was utilizing the new identity broker functionality for this.  Our app would be setup as both a SAML service provider and a SAML brokered identity provider.  Our app would send a SAML response to keycloak as the identity provider, keycloak would create a SSO session for that user and then send the user back to our app with a keycloak SAML response.  Not quite the standard use case for this feature, but any thoughts on if this might work?

-----Original Message-----
From: Stian Thorgersen [mailto:stian at redhat.com] 
Sent: Tuesday, April 07, 2015 11:57 PM
To: Bill Burke
Cc: Schneider, Tom; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] External Registration Flow

Taking one step back on this. You say you can't use Keycloak's registration screens as you collect additional business data. If you could edit the registration page on Keycloak (which you already can) then intercept the required information in an event listener (which you soon can) would that satisfy your needs?


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Tom Schneider" <tschneider at connecture.com>, 
> keycloak-user at lists.jboss.org
> Sent: Tuesday, 7 April, 2015 6:01:29 PM
> Subject: Re: [keycloak-user] External Registration Flow
> 
> Wouldn't you want Keycloak to ask for new credential input?  That way 
> you can control from keycloak what credential types are required.
> 
> On 4/7/2015 11:52 AM, Schneider, Tom wrote:
> > That is close, but not quite the flow we're trying to implement.  
> > This would be the flow we are attempting to implement:
> >
> > 1. Visit app
> > 2. Click on registration link within app 3. Fill out registration 
> > info 4. App calls keycloak webservices to create user and set 
> > password 5. Redirect to keycloak 6. ??? (Currently SAML Login) 7. 
> > Redirect back to app
> >
> > Ideally I would think there would be a way for the app to request 
> > some kind of token that can be sent back to keycloak to allow the 
> > user to be logged in with having the end user login explicitly.  
> > However, I haven't found anything that would do something like this yet.
> >
> > -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org
> > [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill 
> > Burke
> > Sent: Tuesday, April 07, 2015 10:31 AM
> > To: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] External Registration Flow
> >
> > To have the seemless integration you want, Keycloak would need some 
> > kind of remote registration protocol so that registration could be 
> > delegated to another app.  We don't have this ability yet.  This is 
> > because you want this flow, right?:
> >
> > 1. Visit app
> > 2. Redirected to Keycloak login
> > 3. Click on registration link on page 4. Redirect to External 
> > registration app 5. Register 6. Redirect back to keycloak 7. Import 
> > user 8. Redirect back to app
> >
> >
> > On 4/7/2015 10:17 AM, Schneider, Tom wrote:
> >> I have an existing application that I'm looking to integrate with 
> >> keycloak.  One of the flows we're working on is a user 
> >> self-registration flow.  In this flow, a user will enter 
> >> registration information, then the user will be provisioned within 
> >> the local app and then we use web service calls to create the user in keycloak.
> >> After the user is provisioned, then we do a SAML post to keycloak, 
> >> the user logs in and then they are redirected back to our app.
> >>
> >> This is all working fine, however, the user must enter their 
> >> username and password twice, once on the registration screen and 
> >> once to log into keycloak to establish an SSO session.  We'd like 
> >> to avoid using the keycloak registration screens since we collect 
> >> additional business data on our registration screen that our app 
> >> needs.  Are there any suggestions on how to avoid this double login?
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 



More information about the keycloak-user mailing list