[keycloak-user] Some questions about user authentication with external IDP

Reed Lewis RLewis at carbonite.com
Tue Dec 27 15:05:59 EST 2016


We are planning on using Keycloak to authenticate users in our environment.   There will be multiple sources of user logins.


1.       Local to Keycloak

2.       Using a Federation provider to pull accounts from on a one time basis (The first time the user logs in they will authenticate using the p/w in the Federation server, and subsequent logins will occur entirely in Keycloak)

3.       Using a third party IDP (Like Microsoft/ Google/ etc.)   But the initial source of these accounts might be local in keycloak.

I of course can do #1, and know how to do #2.    For #3 I have the external 3Rd party IDP working.

But what we would like to have is this:


1.       A user goes to a form in which they enter the username only.

2.       If the user is new, it asks them to create an account

3.       If the user is new, but we know the login to be associated with a third party IDP, we go there, and link the account.

4.       If the user is not new, and if they are linked to third party IDP, it automatically loads that IDP page without having to pick that login.

Here is the workflow we are thinking.

An admin adds a list of accounts (either csv, or somehow else) into keycloak, but it says that all these accounts need to be authenticated by some third part IDP.   So when a user logs into Keycloak and enters their password, it automatically redirects the user to the 3rd part IDP and then associates the local keycloak login with the IDP without having to do too much.

Does this make sense?

Reed Lewis

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.


More information about the keycloak-user mailing list