[keycloak-user] When using an IdentityBroker

Stian Thorgersen stian at redhat.com
Tue Jul 21 02:33:02 EDT 2015



----- Original Message -----
> From: "Ed Hillmann" <ed.hillmann at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 21 July, 2015 2:13:12 AM
> Subject: Re: [keycloak-user] When using an IdentityBroker
> 
> Hi Stian.  Thanks very much for the clarification.  I think I better
> understand how the users are federated.
> 
> With respect to the following statement in the document (section 9.1) ...
> 
> When using Keycloak as an identity broker, users are not forced to provide
> > their credentials in order to authenticate in a specific realm.
> 
> Does that mean that users can be authenticated without providing a specific
> Realm?  I presume you still need to use a Realm to support role mapping,
> but can a federated, authenticated user be ported across Realms?
> 
> The context of my question is this:  I'm trying to get my head around
> multi-tenacy.  I am looking at the feasibility of having a single
> deployment of an application that supports multiple tenants, with the
> Identity Provider reliant on the user logging in.  So, users 1-10 are from
> Site A and want to use Identity Provider A, 11-20 are from Site B and want
> to use Identity Provider B.  Sites A & B have their own Realm, so roles can
> be defined as they want.  There's also a desire for a user to be able to
> have access to Sites A and B (not at the same time) with potentially
> different permissions/roles.  But, that's later down the track.
> 
> If the application can somehow handle associating a user with the sites
> they are allowed to access, then it could also manage the Realm to use
> (hopefully, using the Classes/Interfaces specified in the Multi-Tenancy
> section of the doco).  But, does that mean that the user would log in
> (authenticate) first and then pick which site (and thus which Realm) they
> want to view?  Can that initial authentication, when using an Identity
> Broker, take place without specifying a Realm?  Or is there a default Realm
> which is used first, with the subsequent tokens passed on to the other
> Realms accessed (if that's even a thing)?
> 
> Or, will we have select, up front, the Site (ie, Realm) they want to access
> before they work through the authentication workflow?
> 
> Sorry for the lengthy question.

Users (and all config) is within the scope of a single realm. So a user can only authenticate with one realm.

You can use identity brokering to let a user login with the credentials of another realm though. For example in your case a user on site A can login to site B if site a is configured as a identity provider on site b.

> 
> Thanks,
> 
> Ed
> 
> On Mon, Jul 20, 2015 at 3:32 PM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> >
> >
> > ----- Original Message -----
> > > From: "Ed Hillmann" <ed.hillmann at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Monday, 20 July, 2015 7:15:43 AM
> > > Subject: [keycloak-user] When using an IdentityBroker
> > >
> > > Hi, I'm going through the most recent doco, and I'm looking at the
> > > IdentityBroker section. So, having gone through the walkthrough, can
> > someone
> > > tell me if I'm on the right track.
> > >
> > > So, step #8 states that "Keycloak is going to check if the response from
> > the
> > > identity provider is valid. If valid, it will create an user or just skip
> > > that if the user already exists".
> > >
> > > Does that mean that KeyCloak will have a User, against which roles can be
> > > mapped? This will be a user that would be, for example, displayed in the
> > > admin console just like any locally-defined User?
> >
> > Yes
> >
> > >
> > > I'm trying to piece this all together, from where we can start assigning
> > > roles to these users whose authentication has been performed by an
> > external
> > > IdentityProvider.
> > >
> > > Following on from that, the user would continue to authenticate against
> > the
> > > Identity Provider? If they already exist, that's mentioned later on it
> > the
> > > same text where the accounts are linked?
> >
> > There's is no automatic linking of accounts. There's two scenarios
> > basically:
> >
> > * A user with same email address exists - in this case a error message is
> > displayed to the user and user would have to login to account management
> > and link to the identity provider from there
> > * The user has already logged-in with the identity provider - in this case
> > a user is already linked to the identity provider and the user is logged-in
> >
> > The same user can also authenticate with different methods. It's possible
> > to login to the same account with username/password as well as multiple
> > identity providers (linked through account management).
> >
> > With regards to setting up roles these can either be added through admin
> > console manually or added automatically either by using default roles or
> > using mappers.
> >
> > >
> > > If I've got this wrong, please let me know. :)
> > >
> > > Thanks for any help,
> > > Ed
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 


More information about the keycloak-user mailing list