[keycloak-user] When using an IdentityBroker

Ed Hillmann ed.hillmann at gmail.com
Mon Jul 20 20:13:12 EDT 2015 

Hi Stian.  Thanks very much for the clarification.  I think I better
understand how the users are federated.

With respect to the following statement in the document (section 9.1) ...

When using Keycloak as an identity broker, users are not forced to provide
> their credentials in order to authenticate in a specific realm.

Does that mean that users can be authenticated without providing a specific
Realm?  I presume you still need to use a Realm to support role mapping,
but can a federated, authenticated user be ported across Realms?

The context of my question is this:  I'm trying to get my head around
multi-tenacy.  I am looking at the feasibility of having a single
deployment of an application that supports multiple tenants, with the
Identity Provider reliant on the user logging in.  So, users 1-10 are from
Site A and want to use Identity Provider A, 11-20 are from Site B and want
to use Identity Provider B.  Sites A & B have their own Realm, so roles can
be defined as they want.  There's also a desire for a user to be able to
have access to Sites A and B (not at the same time) with potentially
different permissions/roles.  But, that's later down the track.

If the application can somehow handle associating a user with the sites
they are allowed to access, then it could also manage the Realm to use
(hopefully, using the Classes/Interfaces specified in the Multi-Tenancy
section of the doco).  But, does that mean that the user would log in
(authenticate) first and then pick which site (and thus which Realm) they
want to view?  Can that initial authentication, when using an Identity
Broker, take place without specifying a Realm?  Or is there a default Realm
which is used first, with the subsequent tokens passed on to the other
Realms accessed (if that's even a thing)?

Or, will we have select, up front, the Site (ie, Realm) they want to access
before they work through the authentication workflow?

Sorry for the lengthy question.

Thanks,

Ed

On Mon, Jul 20, 2015 at 3:32 PM, Stian Thorgersen <stian at redhat.com> wrote:

>
>
> ----- Original Message -----
> > From: "Ed Hillmann" <ed.hillmann at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 20 July, 2015 7:15:43 AM
> > Subject: [keycloak-user] When using an IdentityBroker
> >
> > Hi, I'm going through the most recent doco, and I'm looking at the
> > IdentityBroker section. So, having gone through the walkthrough, can
> someone
> > tell me if I'm on the right track.
> >
> > So, step #8 states that "Keycloak is going to check if the response from
> the
> > identity provider is valid. If valid, it will create an user or just skip
> > that if the user already exists".
> >
> > Does that mean that KeyCloak will have a User, against which roles can be
> > mapped? This will be a user that would be, for example, displayed in the
> > admin console just like any locally-defined User?
>
> Yes
>
> >
> > I'm trying to piece this all together, from where we can start assigning
> > roles to these users whose authentication has been performed by an
> external
> > IdentityProvider.
> >
> > Following on from that, the user would continue to authenticate against
> the
> > Identity Provider? If they already exist, that's mentioned later on it
> the
> > same text where the accounts are linked?
>
> There's is no automatic linking of accounts. There's two scenarios
> basically:
>
> * A user with same email address exists - in this case a error message is
> displayed to the user and user would have to login to account management
> and link to the identity provider from there
> * The user has already logged-in with the identity provider - in this case
> a user is already linked to the identity provider and the user is logged-in
>
> The same user can also authenticate with different methods. It's possible
> to login to the same account with username/password as well as multiple
> identity providers (linked through account management).
>
> With regards to setting up roles these can either be added through admin
> console manually or added automatically either by using default roles or
> using mappers.
>
> >
> > If I've got this wrong, please let me know. :)
> >
> > Thanks for any help,
> > Ed
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150721/e1a156d6/attachment-0001.html

More information about the keycloak-user mailing list