[keycloak-user] Technical Guidance

Dana Danet Dana.Danet at Evisions.com
Wed Dec 21 20:27:24 EST 2016 

Thank you for responding and I apologize if my question was misleading, let me try again.

My requirement is to support a SSO IdM/IdP for customers without their own system, ideally in a multi tenant way, and to support SSO for customers that have on-premise SSO implementations, mostly are InCommon.

We have decided to implement Ping as a SP to handshake with the on-premise (InCommon) customers. Since these integration points could be more than just InCommon.  My thought is that Ping will accept the authN, translate the properties to a grant (SAML2) and forward to Keycloak to create the JWT.  I attached a image reflecting this below.

My question is how would I register within Keycloak that AuthN would be handled by Ping, and to create a JWT.



[cid:AAEF3E4F-5D02-49A2-AE50-0C83E98B9D0C at attlocal.net]

On Dec 15, 2016, at 11:41 PM, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:

Not quite sure what you're asking here as there seems to be 3 IdPs? Customer IdP, Ping and Keycloak?

On 14 December 2016 at 17:25, Dana Danet <Dana.Danet at evisions.com<mailto:Dana.Danet at evisions.com>> wrote:
I just recently introduced KC to a Spring Cloud micro-service environment as the IDM and Oauth manager of JWT tokens.  Front end clients are implementing the javascript adapter and backend Spring Boot services are implemented with the Spring Security adapter (not boot adapter).  Our Service Gateway (Zuul) simply passes the token to backend services.

My question is regarding offloading offloading AuthN and IDP to external systems and then brokering to Keycloak for JWT creation.  Which would look something like
  ( Customer on premise AuthN) —> Ping —>  Keycloak.  Ping has been introduced purely as an SP to handle customers implementations of Shibboleth and Incommon.  Initially I was thinking that IDP - Ping SP mapping is all done via Ping and then a canonical SAML exchange to Keycloak.

Is this possible?  I would appreciate some guidance here.

-dana




_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list