[keycloak-user] Identity Brokering

Danny Regis danny at sigerconsulting.com
Thu Apr 13 09:12:02 EDT 2017


Hello,

I'm trying to gain clarity on whether there is a subtle difference between
Identity Federation / Identity Brokering / Authentication Brokering.

Looking at the documentation for Identity Providers, it details this as
Identity Brokering, what I can't ascertain (and haven't been able to demo)
is exactly how this works. The documentation implies that the first broker
login flow creates a local user. What happens on the second login? Would
the user always be redirected to the IdP login pages? If so what is the
local user copy for?

Potentially I'm confusing federated Open ID Connect SSO with Identity
Brokering.


My specific use case...

Application A users authenticated and authorised via Identity Provider B
(Open Id Connect)

However application A users should always be authenticated against IdP B,
there should never be local authentication based upon a local KC user.

Would disabling "Create User If Unique" from the First Broker Login flow
fulfil my requirement?

Thanks
Danny


More information about the keycloak-user mailing list