[keycloak-user] Hybrid SSO access and custom user database

[Stefano Cossu]

Hello,
I am currently evaluating Keycloak to resolve an SSO scenario that we
are unable to resolve with our current setup. 

We have a SAML2 environment made up of a Shibboleth SP and a
SimpleSamlPHP IdP. The IdP authenticates requests against a custom
identity database exposed via a very simple REST API. The IdP sends
usersname and password to the REST API, which either responds
with a 401 or sends a JSON object with the authenticated user's
attributes and membership information. 

So far so good, but now we need to authenticate an API client in the
system. SAML2 is not great for this, so I am looking for an alternative
SSO solution, either based on SAML or not. 

Our requirements are: 
1. The SSO system needs to be able to authenticate against the custom
REST API. This seems to be possible in Keycloak by defining a custom
federation provider. 
2. The SSO system needs to be able to authenticate both browser- and
API-based clients and let a client authenticated via API use the same
SSO token in a browser.
3. The SSO system needs to pass the identity information to the web
server (Apache) so that they are available as environment variables, in
a similar way Shibboleth does. 

I have installed and started testing Keycloak locally but I am unsure
which scenario I should look at within Keycloak to accomplish what I am
looking for. Can someone give me some directions? 

Thanks,
Stefano

-- 
Stefano Cossu
Director of Application Services, Collections

The Art Institute of Chicago
116 S. Michigan Avenue
Chicago, IL 60603