[keycloak-user] Decoupled IDP brokering in different networks

Scheinmann, Jonathan jonathan.scheinmann at dxc.com
Mon Jan 29 02:14:57 EST 2018


Hi community,

We currently have a setup of two Keycloak IDP's in completely different networks. That means, both Keycloak instances cannot see each other. However, the user (from the browser's point of perspective) can access both instances over a vpn connection. We would now like to "connect" both keycloak instances over identity brokering in a way that both instances can perform the authentication process without communicating directly with each other (maybe indirectly through the user's browser). We set up IDP brokering between both and everything worked fine to the point where the brokering instance performs a call-back to the other instance which of course led to an unknownhostexception.

The question is therefore: is there a way to pass user data between both keycloak instances without direct communication but through a browser authentication flow. Or would that be a security risk?

Regards
Jonathan


More information about the keycloak-user mailing list