[keycloak-user] Migration from Picketlink IDM
Thomas DELHOMENIE
thomas.delhomenie at gmail.com
Mon Aug 7 09:03:20 EDT 2017
Funny, the application I am talking about is Gatein/eXo actually :)
Thanks for your answers Marek.
Looks like replacing Picketlink by Keycloak will not be as straight forward
as I initially thought. It will require architecture changes, will impact
configuration, custom developments and will require data migration if we
want to use it.
Le 7 août 2017 12:53, "Marek Posolda" <mposolda at redhat.com> a écrit :
Glad that someone is still using picketlink 1.4. It reminds me some old
days when, I was working on GateIn Portal, which was using Picketlink 1.4
:) But I agree that it is good to migrate :) Answers inline.
On 07/08/17 11:07, Thomas DELHOMENIE wrote:
> Hello,
>
> We currently use PicketLink (in a quite old version : 1.4), especially the
> IDM part. As Picketlink is a dead project, we are evaluating alternative
> solutions, which naturally led us to Keycloak. I have some questions :
> * I understand that Keycloak must be run as a server, but isn't there a way
> to embed only the User Federation capability in an application (so not in
> server mode) ? We basically need to be able to manage users/groups,
> aggregate them from multiple sources (LDAP, AD, custom data store, ...) and
> expose them in our API. That's what we did with Picketlink IDM, but I am
> not sure it is feasible with Keycloak.
>
Not directly. Keycloak is meant to be used as a server and do it for you.
Once user successfully authenticates, the details are available in his
accessToken. Application doesn't know from which source (LDAP server) this
info came from, it's not the responsibility of the application. Also
Keycloak has admin REST API, which allows you to search for users and
return corresponding JSON objects with user details. We have nice admin
client, which allows you to easily execute this REST API from Java
application.
* we provide the capability for the administrators of our application to
> configure their users and groups storages, by configuration. Is it still
> possible with Keycloak or can this only be done via the admin console ?
>
We have admin REST API and everything, which is doable in Keycloak admin
console, can be also done through admin REST API. In latest 3.2.1 version
there is more fine grained admin permissions model, which should allow you
to specify permission for admins in more fine grained way if needed.
Marek
>
> Regards,
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list