[keycloak-user] Accurate description of Keycloak's capabilities?
Marc Boorshtein
marc.boorshtein at tremolosecurity.com
Wed Feb 24 13:57:36 EST 2016
Thanks Ragu. I didn't mention certificates for KC because its says "coming
soon" on the website's front page. The slide I linked to is my current
draft (I won't be able to fit all this information onto a single slide).
In OpenUnison we separate authentication mechanisms from data source and
include federation as a form of authentication (even though strictly
speaking we don't collect credentials). So there's no "LDAP
Authentication" in OpenUnison, there's a username & password authentication
mechanism (that can be added to a chain) that would then validate that
credential through the virtual directory. Same thing for SAML and OIDC,
once we validate the assertion/token we link the user in the virtual
directory (or create a virtual user or run a just-in-time provisioning
workflow to create the user)
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
<marc.boorshtein at tremolosecurity.com>(
<https://www.google.com/voice?utm_source=en-ha-na-us-bk&utm_medium=ha&utm_term=google+voice&utm_campaign=en&pli=1#phones>703)
828-4902
On Wed, Feb 24, 2016 at 1:47 PM, Raghu Prabhala <prabhalar at yahoo.com> wrote:
> Under Keycloak authentication, I would suggest Kerberos, ldap, otp,
> certificates etc rather than oidc, saml which are not authentication
> mechanism.
>
> It should be similar to what you have put under openunison authentication
>
> Sent from my iPhone
>
> On Feb 24, 2016, at 12:56 PM, Marc Boorshtein <
> marc.boorshtein at tremolosecurity.com> wrote:
>
> So after I actually put the slide together I realized I'd never be able to
> put this much information on one slide. So I tried to distill it down to
> really key points:
>
> https://s3.amazonaws.com/ts-public-downloads/random/Slide11.png
>
> Let me know what you think. Again, I appreciate the feedback.
>
> Thanks
>
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorshtein at tremolosecurity.com
> <marc.boorshtein at tremolosecurity.com>(
> <https://www.google.com/voice?utm_source=en-ha-na-us-bk&utm_medium=ha&utm_term=google+voice&utm_campaign=en&pli=1#phones>703)
> 828-4902
>
> On Wed, Feb 24, 2016 at 12:22 PM, Marc Boorshtein <
> marc.boorshtein at tremolosecurity.com> wrote:
>
>> Thanks Bill. I'm envisioning a slide with 3 columns (one for OpenUnison,
>> one for KC and one where there's overlap) so I'm going to try and keep it
>> brief but will certainly talk to anything I don't write down.
>>
>> Here's what I'm thinking for each column including your comments:
>>
>> OpenUnison
>> Authentication
>> * Kerberos
>> * Certificate
>> * Banner
>> * Username Only
>> * OTP over SMS
>> * OTP over Email
>> * Symantec VIP
>> * JIT Provisioning
>> * Authentication Levels
>>
>> User Data Sources
>> * Integrated Virtual Directory
>>
>> Role Management
>> * Workflow based approvals
>> * Multi stage approvals
>> * Escalations
>>
>> Application Integration
>> * Reverse Proxy with LastMile (J2EE/Apache/.NET)
>> * Reverse Proxy with SAML Login
>> * Reverse Proxy with Kerberos Constrained Delegation
>>
>> UI Pages
>> * Generic JSP
>>
>>
>> Common
>> Authentication
>> * OIDC
>> * SAML2
>> * Social
>> * TOTP
>> * IdP "Broker" for both SAML2 and OIDC
>> * Login Chain / Flow
>> * Custom Interface
>>
>> User Data Stores
>> * LDAP
>> * DB
>> * AD
>> * Custom
>> * Password reset
>> * Profile Updates
>>
>> Role Management
>> * Map to multiple data sources
>> * Web services integration
>>
>> Application Integration
>> * SAML2
>> * OIDC/OAuth2
>> * Reverse Proxy with header injection
>>
>>
>> KeyCloak
>> Authentication
>> * OIDC
>> * Social
>> * TOTP
>> * User session management
>>
>> User Data Sources
>> * Integrated SPI
>>
>> Role Management
>> * Local database
>> * Mapped to external data source
>>
>> Application Integration
>> * OIDC/OAuth2
>> * REST Web Services
>>
>>
>> UI Pages
>> * Themed
>> * Internationalization/Localization
>>
>> Anything you would like changed or mentioned?
>>
>> Thanks
>>
>>
>> Marc Boorshtein
>> CTO Tremolo Security
>> marc.boorshtein at tremolosecurity.com
>> <marc.boorshtein at tremolosecurity.com>(
>> <https://www.google.com/voice?utm_source=en-ha-na-us-bk&utm_medium=ha&utm_term=google+voice&utm_campaign=en&pli=1#phones>703)
>> 828-4902
>>
>> On Wed, Feb 24, 2016 at 11:22 AM, Bill Burke <bburke at redhat.com> wrote:
>>
>>> Much more:
>>> - IDP brokering (Keycloak can be a child IDP to a parent IDP)
>>> - reset credentials
>>> - registration (with or without recaptcha)
>>> - required actions (verify email, update credentials, update profile)
>>> - User session management
>>>
>>> Custom SPIs to create/augment:
>>> - browser login flow
>>> - reset credential flow
>>> - registration
>>> - REST validation
>>> - service accounts
>>>
>>> With this SPI you can add custom authentication types, perform workflow
>>> actions, etc...
>>>
>>> User self-help:
>>> - Account management for logged in users.
>>>
>>> Internationalization/Localization:
>>> - Basically all UIs (admin console, login,
>>>
>>> On 2/24/2016 8:20 AM, Marc Boorshtein wrote:
>>>
>>> All,
>>>
>>> I'm going to be presenting OpenUnison at an OpenShift briefing tomorrow
>>> and have been asked to include a slide on how OpenUnison and Keycloak
>>> relate to each other. Based on getting Keycloak running and looking at the
>>> website and following the list I'm planning on breaking down KC's features
>>> as such:
>>>
>>> Authentication
>>> * OIDC
>>> * SAML2
>>> * Social
>>> * TOTP
>>> * IdP "Proxy" for both SAML2 and OIDC
>>>
>>> User Data Sources
>>> * LDAP
>>> * AD
>>> * Custom
>>>
>>> Role Management
>>> * Local database
>>> * Mapped to external data source
>>>
>>> Application Integration
>>> * SAML2
>>> * OIDC/OAuth2
>>> * Reverse Proxy with header injection
>>>
>>> UI Pages
>>> * Themed
>>>
>>> I want to make sure this is accurate, so I'd appreciate any feedback
>>> that you have.
>>>
>>> Thanks
>>>
>>> Marc Boorshtein
>>> CTO Tremolo Security
>>> marc.boorshtein at tremolosecurity.com
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160224/03413dd0/attachment-0001.html
More information about the keycloak-user
mailing list