[keycloak-user] X509 Identity Brokering

Nalyvayko, Peter pnalyvayko at agi.com
Wed Jun 14 21:02:41 EDT 2017


Hi Thiago,

Have you considered using the LDAP identity provider in conjunction with X509 user authentication? X509 contains an existing identity of a user so whoever's responsible for issuing the certificate can pre-register the user by creating an LDAP record prior to issuing the X509 cert to the user. 
My $0.02
Regards,
Peter

________________________________________
From: Thiago Presa [thiago.addevico at gmail.com]
Sent: Wednesday, June 14, 2017 1:23 PM
To: Nalyvayko, Peter
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] X509 Identity Brokering

Hi Peter,

As I could grasp, currently the user would have to manually register himself into the realm, providing a password for the access. After that, he or she can use the certificate instead of the password to log into the realm.
However, we would like users to log in only through valid X509 certificates. It seems a bit artificial to ask for a password that ultimately won't be used. Can we avoid asking the password somehow?

Best regards,
Thiago Presa

On Tue, Jun 13, 2017 at 7:35 PM, Nalyvayko, Peter <pnalyvayko at agi.com<mailto:pnalyvayko at agi.com>> wrote:
Hi Thiago,

AFAIK x509 user authentication requires an existing user. Can you go into specifics what your use case is?
--Peter
________________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] on behalf of Thiago Presa [thiago.addevico at gmail.com<mailto:thiago.addevico at gmail.com>]
Sent: Tuesday, June 13, 2017 5:47 PM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] X509 Identity Brokering

Hi,

Does Keycloak support some sort of Identity Brokering through X509? I
managed to configure the X509 Client Certificate, but it only replaces the
password, and requires the user to be already registered. What I would like
to achieve is to automatically register the users who present a valid X509
Certificate. Is that possible?

Best regards,
Thiago Presa
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list