[keycloak-user] Integration in a federation of identity provider liek shibolleth

Jérôme Blanchard jayblanc at gmail.com
Wed Oct 21 03:06:42 EDT 2015


Hi Stian,

Thanks a lot for your precisions which will help me a lot. I have already
develop a theme in an earlier version and I had completely forgot that it
would do the trick, great idea.
I will also investigate the idea of implementing an authenticator in order
to add a cookie remembering the last used IdP because I also need the
classic login for some users.

Best Regards, Jérôme.

Le mer. 21 oct. 2015 à 08:34, Stian Thorgersen <sthorger at redhat.com> a
écrit :

> There's no limit with the buttons, although it would become unusable. You
> can change this by creating your own theme though and use a drop down or
> whatever you'd like.
>
> Another idea is something we've discussed before which is to register
> certain email domains with a specific IdP. For example <user>@corp.com is
> automatically redirected to idp.corp.com. With the new authenticator SPI
> you could create this flow yourself and remove the password field from the
> initial screen.
>
> You may end up wanting to implement an authenticator for this in either
> case so you can add a cookie to remember the last used IdP.
>
> When you use identity brokering in Keycloak, Keycloak becomes the "Service
> Provider" in the external IdP, not the individual clients. So only the
> Keycloak server has to be registered with the external IdP.
>
> On 20 October 2015 at 17:33, Jérôme Blanchard <jayblanc at gmail.com> wrote:
>
>> Hi all,
>>
>> I'm trying to integrate keycloak in a federation of indentities
>> (shibolleth) using the SAMLv2 Identity Provider. The problem is that the
>> federation count something like 100 Identity Providers and I'm afraid of
>> the L&F of the GUI as for now, adding 3 of them is creating a button for
>> each. Is there is a limit or something that creates a drop down menu ?
>> (like this list https://discovery.renater.fr/renater)
>> <https://discovery.renater.fr/renater/?entityID=https%3A%2F%2Fsaga.renater.fr%2F&return=https%3A%2F%2Fsaga.renater.fr%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26passwd%3DhT6oU5$.%21%26submit_saga%3DConnexion%26%26target%3Dss%253Amem%253Aa66aa537777acf60e05706949b588b203be0a12e>
>> The goal for me is to create a kind of parser for this idps list :
>> http://federation.renater.fr/renater/idps-renater-metadata.xml
>> in order to parse this list and maintain my IDPs in keycloak up to date.
>>
>> Another question is : is each client in keycloak has to be declared as a
>> Service Provider or only the keycloak server ?
>>
>> If you have any feedback for shibolleth federation integration using
>> keycloak I'll be very glad to share them.
>>
>> Thanks a lot, Best Regards, Jérôme.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/97a50f13/attachment.html 


More information about the keycloak-user mailing list