[keycloak-user] Question re Keycloak conflicting password policies

Stian Thorgersen sthorger at redhat.com
Tue Apr 12 00:31:26 EDT 2016


A password policy per-app makes no sense in a SSO solution. However, step
up authentication does. For example one app requires user to be logged-in
with password only, while another requires otp as well. We're planning to
add the latter at some point.

On 11 April 2016 at 19:53, Guus der Kinderen <guus.der.kinderen at gmail.com>
wrote:

> I don't know the answer, but: would it be valid to have a SSO solution in
> the first place, when the applications have conflicting password policies?
>
> APP-A: You can't log in like that! I don't trust you, go away!
> APP-B: Sure, come on in!
> APP-A: Ah, I see you're a perfectly trusted user now!
>
>  - Guus
>
> On 11 April 2016 at 19:37, Richard Lavallee <rllavallee at hotmail.com>
> wrote:
>
>>
>> Does anyone know the answer to this?
>>
>> A keycloak admin may want to enforce a specific password policy for one
>> APP but a different (and conflicting) password policy for another APP.
>>
>> E.g. first policy requires one special character whereas second policy
>> prohibits any special character.  Is this supportable in Keycloak?  I am
>> thinking that two realms could be defined to do this but wouldn't that
>> defeat single-sign-on across the realms?  Any thoughts?
>>
>> -Richard
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/3fc8f01d/attachment.html 


More information about the keycloak-user mailing list