[keycloak-user] Integration in a federation of identity provider liek shibolleth
sthorger at redhat.com
Wed Oct 21 03:13:46 EDT 2015
One flow that I've considered would be:
1. Ask for email only
2. Lookup user, if user is found and has link to IdP redirect directly to
3. Go through list of IdPs - each IdP would have a email domain associated
with it. If one matches the provided email redirect to IdP
4. If neither 2 or 3 matches then display ask for password. As we know the
user know we can also ask for OTP on the same page if user has OTP enabled
Is that a flow that would work for you?
On 21 October 2015 at 09:06, Jérôme Blanchard <jayblanc at gmail.com> wrote:
> Hi Stian,
> Thanks a lot for your precisions which will help me a lot. I have already
> develop a theme in an earlier version and I had completely forgot that it
> would do the trick, great idea.
> I will also investigate the idea of implementing an authenticator in order
> to add a cookie remembering the last used IdP because I also need the
> classic login for some users.
> Best Regards, Jérôme.
> Le mer. 21 oct. 2015 à 08:34, Stian Thorgersen <sthorger at redhat.com> a
> écrit :
>> There's no limit with the buttons, although it would become unusable. You
>> can change this by creating your own theme though and use a drop down or
>> whatever you'd like.
>> Another idea is something we've discussed before which is to register
>> certain email domains with a specific IdP. For example <user>@corp.com
>> is automatically redirected to idp.corp.com. With the new authenticator
>> SPI you could create this flow yourself and remove the password field from
>> the initial screen.
>> You may end up wanting to implement an authenticator for this in either
>> case so you can add a cookie to remember the last used IdP.
>> When you use identity brokering in Keycloak, Keycloak becomes the
>> "Service Provider" in the external IdP, not the individual clients. So only
>> the Keycloak server has to be registered with the external IdP.
>> On 20 October 2015 at 17:33, Jérôme Blanchard <jayblanc at gmail.com> wrote:
>>> Hi all,
>>> I'm trying to integrate keycloak in a federation of indentities
>>> (shibolleth) using the SAMLv2 Identity Provider. The problem is that the
>>> federation count something like 100 Identity Providers and I'm afraid of
>>> the L&F of the GUI as for now, adding 3 of them is creating a button for
>>> each. Is there is a limit or something that creates a drop down menu ?
>>> (like this list https://discovery.renater.fr/renater)
>>> The goal for me is to create a kind of parser for this idps list :
>>> in order to parse this list and maintain my IDPs in keycloak up to date.
>>> Another question is : is each client in keycloak has to be declared as a
>>> Service Provider or only the keycloak server ?
>>> If you have any feedback for shibolleth federation integration using
>>> keycloak I'll be very glad to share them.
>>> Thanks a lot, Best Regards, Jérôme.
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the keycloak-user