[keycloak-user] Keycloak 1.1.0.Final Released

Raghu Prabhala prabhalar at yahoo.com
Sat Feb 14 17:03:55 EST 2015


Bill - Just wanted to let you know the Identity Broker currently being built meets my requirements. I have successfully tested out a complex scenario (given below) involving both SPNEGO as well as SAML Service Provider functionality
1) KC  on two hosts acting as SAML IDP using SPNEGO as Identity Broker.2) KC on another host acting as SAML SP communicating with IDP (Point 1) and a client using OpenID Connect (Point 3)3) A Client application communicating with KC (refer to Point 2) using OpenID Connect
Any user accessing the client application will now be seamlessly authenticated without entering password. Now I am looking for the "custom profiles" functionality which would help me move forward. Just to reiterate my requirement - once the user is authenticated, I would like to make a LDAP call (in some cases multiple calls to different repositories) to retrieve all user information that should eventually be populated in the SAML claims or OIDC id_token selectively. 
A big thank you to you and the entire dev team for accommodating our requests :-). Great Job!!!
Regards,Raghu
     From: Raghu Prabhala <prabhalar at yahoo.com>
 To: Bill Burke <bburke at redhat.com>; "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
 Sent: Monday, February 9, 2015 8:13 AM
 Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
   
I think that would satisfy my requirements - but not sure until I see that bridge along with the Identity broker functionality in the next beta release - eagerly waiting for it.

     From: Bill Burke <bburke at redhat.com>
 To: keycloak-user at lists.jboss.org 
 Sent: Friday, February 6, 2015 10:21 AM
 Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
   
Keycloak won't be a kerberos server any time soon, if ever.  We are 
creating a SAML/OIDC to kerberos bridge though.

On 1/30/2015 10:52 AM, Raghu Prabhala wrote:
> Unfortunately yes. Kerberos is deeply ingrained in most of internal applications/processes. While we can ask any new applications to use certificates, we have to support Kerberos.
>
> If that is not something that you will support, probably identity brokering would help. I can write a Kerberos broker as long as it is given control ( need http request) immediately by Keycloak, perhaps I can handle both authentication with key tabs (for system accts) as well as SPNEGO for users
>
> Sent from my iPhone
>
>> On Jan 30, 2015, at 9:01 AM, Stian Thorgersen <stian at redhat.com> wrote:
>>
>>
>>
>> ----- Original Message -----
>>> From: "Raghu Prabhala" <prabhalar at yahoo.com>
>>> To: "Stian Thorgersen" <stian at redhat.com>
>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>, "keycloak-user" <keycloak-user at lists.jboss.org>
>>> Sent: Friday, 30 January, 2015 2:44:14 PM
>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
>>>
>>> Great. Looking forward to the 1.2 Beta version.
>>> Regarding the system account support, from my perspective, it is very
>>> important because we have thousands of applications that interact with each
>>> other using system accounts (authentication with Kerberos with keytabs) and
>>> till we have that functionality, we will not be able to consider Keycloak as
>>> a SSO solution even though it is coming out to be a good product. The sooner
>>> we have it, the better. Hopefully, even other users will pitch in to request
>>> that functionality so that you can bump it up in your priority list.
>>> Thanks once again.Raghu
>>
>> For your use-case would it have to be Kerberos? Only options we've been considering are certificates and jwt/jws.
>>
>>>        From: Stian Thorgersen <stian at redhat.com>
>>> To: Raghu Prabhala <prabhalar at yahoo.com>
>>> Cc: keycloak dev <keycloak-dev at lists.jboss.org>; keycloak-user
>>> <keycloak-user at lists.jboss.org>
>>> Sent: Friday, January 30, 2015 2:10 AM
>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
>>>
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Raghu Prabhala" <prabhalar at yahoo.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>, "keycloak-user"
>>>> <keycloak-user at lists.jboss.org>
>>>> Sent: Thursday, January 29, 2015 6:44:11 PM
>>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
>>>>
>>>> Congrats Keycloak team. A great deal of features in this release - really
>>>> like SAML and clustering.
>>>>
>>>> But what I am really looking for is the next release as we need all the
>>>> features you listed -any tentative dates for the beta version?
>>>
>>> We might do a beta soon, but that'll only include identity brokering. The
>>> other features will be at least a month away.
>>>
>>>>
>>>> The functionality provided so far seems to be targeted toward users
>>>> accounts.
>>>> When can we expect support for System accounts (with diff auth mechanisms
>>>> like certificates, Kerberos etc?
>>>
>>> Some time this year we aim to have system accounts with certificates, it'll
>>> depend on priorities. We don't have any plans to support Kerberos
>>> authentication with system accounts, but maybe that makes sense to add as
>>> well.
>>>
>>>
>>>
>>>>
>>>> Thanks,
>>>> Raghu
>>>>
>>>> Sent from my iPhone
>>>>
>>>>> On Jan 29, 2015, at 2:11 AM, Stian Thorgersen <stian at redhat.com> wrote:
>>>>>
>>>>> The Keycloak team is proud to announce the release of Keycloak
>>>>> 1.1.0.Final.
>>>>> Highlights in this release includes:
>>>>>
>>>>> * SAML 2.0
>>>>> * Clustering
>>>>> * Jetty, Tomcat and Fuse adapters
>>>>> * HTTP Security Proxy
>>>>> * Automatic migration of db schema
>>>>>
>>>>> We’re already started working on features for the next release. Some
>>>>> exiting features coming soon includes:
>>>>>
>>>>> * Identity brokering
>>>>> * Custom user profiles
>>>>> * Kerberos
>>>>> * OpenID Connect interop
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

   

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150214/59f94516/attachment-0001.html 


More information about the keycloak-user mailing list