[keycloak-user] Keycloak and 3 clients

Marc Tempelmeier marc.tempelmeier at flane.de
Tue Mar 21 03:51:37 EDT 2017 

Hi,

I understand that I have to explain my use-case better. We want to combine Magento CMS/Shop, OpenEDX, another C# desktop program (RL) and Keycloak. The idea was to have everywhere the same users, because they buy access codes for our RL in Magento and have to login in RL too.
It would be odd if one logs out in the shop and logs out in the program too. So the idea was to allow login from Magento OR RL, opened should forward to Magento in this case. RL has no logout at the moment, but the logout at Magento should logout Magento and OpenEDX, but _not_ RL.

Thanks for your help so far!

Best regards

Marc

Von: Thomas Darimont [mailto:thomas.darimont at googlemail.com]
Gesendet: Monday, March 20, 2017 9:22 PM
An: Marek Posolda <mposolda at redhat.com>
Cc: Marc Tempelmeier <marc.tempelmeier at flane.de>; keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Keycloak and 3 clients

Hello Marc,

I think the following setup will suit your requirement (assuming all 3 apps are web apps)

Create a confidential client for each of the 3 apps in the same realm.
Treat 1 app as "manager" app. The other apps are "workers".
Secure each app with an appropriate keycloak adapter and configure an appropriate
Admin URL for the client such that Keycloak can propagate logouts to them.

In the "manager" app use the default keycloak logout of your adapter functionality
when a user clicks on logout.
However in the worker app only kill the current http session
of the app on "logout" and release app local resources then redirect to
some kind of central launch pad, potentially part of the "manager" app.

If a user now clicks on an application icon on the launch pad he
will be sent to the app without having to login.

If a user performs a logout from the manager app the real logout
will be performed. If the user then tries to access an app he as to login again.

This "pseudo" logout still releases some resources and gives the user
the "impression" that they did their job of logging out every time.
This helps to deal with users which are used to work with not integrated
web apps but still don't want to login every time...

Cheers,
Thomas

2017-03-20 19:45 GMT+01:00 Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>>:
Hi,

not sure I understand your use-case properly. Also not sure how much
sense it has as login is always SSO and logout is always
single-sign-out. Maybe there is possibility to do this with our
"identity providers" and have 2 keycloak realms when 1 realm will be
provider and second realm consumer. There are some disadvantages of this
approach (eg. duplicated users), but maybe you can achieve what you want
with this..

Marek

On 20/03/17 16:02, Marc Tempelmeier wrote:
> Hi,
>
> I´m new to Keycloak and have the lucky possibility to play around with it here at my new company.
> Unlucky is I´m the only person who plays around with it at the moment.
>
> So I have to make it possible that we have 3 services connected with Keycloak. But just one of them should have the users in the same realm but the users shouldn´t be logged out.
>
> To recap:
>
> Keycloak with 3 clients, logout should log out only 2, but login should occur for all 3.
>
> Can you give me a gist how to solve that?
>
> Best regards
>
> Marc
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list