[keycloak-user] ​Re: Identity Brokering

Danny Regis danny at sigerconsulting.com
Mon Apr 17 15:41:53 EDT 2017 

>
> Thanks Bill ,
>

​Is there a subtle distinction between identity brokering vs federation?​

​Is there anywhere which details the interaction on subsequent logins, I
found this page useful for the initial login:

http://www.keycloak.org/docs/1.9/server_admin_guide/topics/identity-broker/overview.html

I assume credentials are not imported/created during the identity
federation, hence on a return visit Keycloak would forward an
authentication request to the target IdP - effectively step 5 in the flow
linked above.

Danny

>


>
> Message: 6
> Date: Thu, 13 Apr 2017 10:25:14 -0400
> From: Bill Burke <bburke at redhat.com>
> Subject:
> ​​
> Re: [keycloak-user] Identity Brokering
> To: keycloak-user at lists.jboss.org
> Message-ID: <3e60adeb-bb6f-ef07-7f55-3c5611c0122b at redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
> ​​
>
> brokering is authentication delegation.  The user is imported, a local
> account is created and linked to the external IDP.
>
>
> On 4/13/17 9:12 AM, Danny Regis wrote:
> > Hello,
> >
> > I'm trying to gain clarity on whether there is a subtle difference
> between
> > Identity Federation / Identity Brokering / Authentication Brokering.
> >
> > Looking at the documentation for Identity Providers, it details this as
> > Identity Brokering, what I can't ascertain (and haven't been able to
> demo)
> > is exactly how this works. The documentation implies that the first
> broker
> > login flow creates a local user. What happens on the second login? Would
> > the user always be redirected to the IdP login pages? If so what is the
> > local user copy for?
> >
> > Potentially I'm confusing federated Open ID Connect SSO with Identity
> > Brokering.
> >
> >
> > My specific use case...
> >
> > Application A users authenticated and authorised via Identity Provider B
> > (Open Id Connect)
> >
> > However application A users should always be authenticated against IdP B,
> > there should never be local authentication based upon a local KC user.
> >
> > Would disabling "Create User If Unique" from the First Broker Login flow
> > fulfil my requirement?
> >
> > Thanks
> > Danny
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 40, Issue 20
> *********************************************
>

More information about the keycloak-user mailing list