[keycloak-user] Integration in a federation of identity provider liek shibolleth

Stian Thorgersen sthorger at redhat.com
Wed Oct 21 03:13:46 EDT 2015

One flow that I've considered would be:

1. Ask for email only
2. Lookup user, if user is found and has link to IdP redirect directly to
3. Go through list of IdPs - each IdP would have a email domain associated
with it. If one matches the provided email redirect to IdP
4. If neither 2 or 3 matches then display ask for password. As we know the
user know we can also ask for OTP on the same page if user has OTP enabled

Is that a flow that would work for you?

On 21 October 2015 at 09:06, Jérôme Blanchard <jayblanc at gmail.com> wrote:

> Hi Stian,
> Thanks a lot for your precisions which will help me a lot. I have already
> develop a theme in an earlier version and I had completely forgot that it
> would do the trick, great idea.
> I will also investigate the idea of implementing an authenticator in order
> to add a cookie remembering the last used IdP because I also need the
> classic login for some users.
> Best Regards, Jérôme.
> Le mer. 21 oct. 2015 à 08:34, Stian Thorgersen <sthorger at redhat.com> a
> écrit :
>> There's no limit with the buttons, although it would become unusable. You
>> can change this by creating your own theme though and use a drop down or
>> whatever you'd like.
>> Another idea is something we've discussed before which is to register
>> certain email domains with a specific IdP. For example <user>@corp.com
>> is automatically redirected to idp.corp.com. With the new authenticator
>> SPI you could create this flow yourself and remove the password field from
>> the initial screen.
>> You may end up wanting to implement an authenticator for this in either
>> case so you can add a cookie to remember the last used IdP.
>> When you use identity brokering in Keycloak, Keycloak becomes the
>> "Service Provider" in the external IdP, not the individual clients. So only
>> the Keycloak server has to be registered with the external IdP.
>> On 20 October 2015 at 17:33, Jérôme Blanchard <jayblanc at gmail.com> wrote:
>>> Hi all,
>>> I'm trying to integrate keycloak in a federation of indentities
>>> (shibolleth) using the SAMLv2 Identity Provider. The problem is that the
>>> federation count something like 100 Identity Providers and I'm afraid of
>>> the L&F of the GUI as for now, adding 3 of them is creating a button for
>>> each. Is there is a limit or something that creates a drop down menu ?
>>> (like this list https://discovery.renater.fr/renater)
>>> <https://discovery.renater.fr/renater/?entityID=https%3A%2F%2Fsaga.renater.fr%2F&return=https%3A%2F%2Fsaga.renater.fr%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26passwd%3DhT6oU5$.%21%26submit_saga%3DConnexion%26%26target%3Dss%253Amem%253Aa66aa537777acf60e05706949b588b203be0a12e>
>>> The goal for me is to create a kind of parser for this idps list :
>>> http://federation.renater.fr/renater/idps-renater-metadata.xml
>>> in order to parse this list and maintain my IDPs in keycloak up to date.
>>> Another question is : is each client in keycloak has to be declared as a
>>> Service Provider or only the keycloak server ?
>>> If you have any feedback for shibolleth federation integration using
>>> keycloak I'll be very glad to share them.
>>> Thanks a lot, Best Regards, Jérôme.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/64988e3c/attachment.html 

More information about the keycloak-user mailing list