[keycloak-user] authentication level / chaining realms
Bill Burke
bburke at redhat.com
Thu Jul 9 09:08:44 EDT 2015
There's no way to do this right now. This one is actually on the
roadmap though.
On 7/9/2015 6:58 AM, Steve Favez wrote:
> Hi keycloak's experts,
>
> I'm wondering if it's possible to chain realm's invocation in keycloak
> (and also, if it's a good practice or not).
>
> The use case is the following :
>
> Keycloak is used as an SSO identity server for a set of
> application with different security policies, but for the same users.
> (so, same user directory).
>
> o some applications require only "user / password" authentication.
> o some applications require a second authentication factor. (for
> example sms, or any other systems).
>
> My idea was the following :
>
> o we've a first realm - let's name it "simple realm", that require
> only user / password
> o we've a second realm - let's name it "2fa realm" that require a
> token from "simple realm" and the second authentication factor.
> o If I connect to an application secured by the "2fa realm", my
> application will redirect to the "2fa realm", then, as it can't
> found any simple token, the realm dispatch the invocation to the
> "simple realm", and then ask for the second authentication factor.
>
> So, a user authenticated against the "2fa realm" get two tokens : the
> simple realm token and the 2FA token.
>
> Thanks in advance for your valuable comments , ideas or critics.
>
> Best regards.
>
>
> Steve
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list