[keycloak-user] Technical Guidance

Stian Thorgersen sthorger at redhat.com
Thu Dec 22 01:32:37 EST 2016


Why not just register the customer IdPs directly with Keycloak using
identity brokering?

On 22 December 2016 at 02:27, Dana Danet <Dana.Danet at evisions.com> wrote:

> Thank you for responding and I apologize if my question was misleading,
> let me try again.
>
> My requirement is to support a SSO IdM/IdP for customers without their own
> system, ideally in a multi tenant way, and to support SSO for customers
> that have on-premise SSO implementations, mostly are InCommon.
>
> We have decided to implement Ping as a SP to handshake with the on-premise
> (InCommon) customers. Since these integration points could be more than
> just InCommon.  My thought is that Ping will accept the authN, translate
> the properties to a grant (SAML2) and forward to Keycloak to create the
> JWT.  I attached a image reflecting this below.
>
> My question is how would I register within Keycloak that AuthN would be
> handled by Ping, and to create a JWT.
>
>
>
>
> On Dec 15, 2016, at 11:41 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
> Not quite sure what you're asking here as there seems to be 3 IdPs?
> Customer IdP, Ping and Keycloak?
>
> On 14 December 2016 at 17:25, Dana Danet <Dana.Danet at evisions.com> wrote:
>
>> I just recently introduced KC to a Spring Cloud micro-service environment
>> as the IDM and Oauth manager of JWT tokens.  Front end clients are
>> implementing the javascript adapter and backend Spring Boot services are
>> implemented with the Spring Security adapter (not boot adapter).  Our
>> Service Gateway (Zuul) simply passes the token to backend services.
>>
>> My question is regarding offloading offloading AuthN and IDP to external
>> systems and then brokering to Keycloak for JWT creation.  Which would look
>> something like
>>   ( Customer on premise AuthN) —> Ping —>  Keycloak.  Ping has been
>> introduced purely as an SP to handle customers implementations of
>> Shibboleth and Incommon.  Initially I was thinking that IDP - Ping SP
>> mapping is all done via Ping and then a canonical SAML exchange to Keycloak.
>>
>> Is this possible?  I would appreciate some guidance here.
>>
>> -dana
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>


More information about the keycloak-user mailing list