[keycloak-user] authentication level / chaining realms

Bill Burke bburke at redhat.com
Thu Jul 9 09:08:44 EDT 2015


There's no way to do this right now.  This one is actually on the 
roadmap though.

On 7/9/2015 6:58 AM, Steve Favez wrote:
> Hi keycloak's experts,
>
> I'm wondering if it's possible to chain realm's invocation in keycloak
> (and also, if it's a good practice or not).
>
> The use case is the following :
>
>       Keycloak is used as an SSO identity server for a set of
> application with different security policies, but for the same users.
> (so, same user directory).
>
>       o some applications require only "user / password" authentication.
>       o some applications require a second authentication factor. (for
>         example sms, or any other systems).
>
>       My idea was the following :
>
>       o we've a first realm - let's name it "simple realm", that require
>         only user / password
>       o we've a second realm - let's name it "2fa realm" that require a
>         token from "simple realm" and the second authentication factor.
>       o If I connect to an application secured by the "2fa realm", my
>         application will redirect to the "2fa realm", then, as it can't
>         found any simple token, the realm dispatch the invocation to the
>         "simple realm", and then ask for the second authentication factor.
>
> So, a user authenticated against the "2fa realm" get two tokens : the
> simple realm token and the 2FA token.
>
> Thanks in advance for your valuable comments , ideas or critics.
>
> Best regards.
>
>
> Steve
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list