[keycloak-user] Decoupled IDP brokering in different networks
Cédric Couralet
cedric.couralet at gmail.com
Mon Jan 29 06:53:05 EST 2018
Hello,
I am also interested in this.
At the moment, we implement this with SAML brokering which doesn't
require direct communication between keycloak instance.
This was not trivial to configure on both instance (especially
regarding signature), so if there is another way it would be great.
Regards,
Cédric
2018-01-29 8:14 GMT+01:00 Scheinmann, Jonathan <jonathan.scheinmann at dxc.com>:
> Hi community,
>
> We currently have a setup of two Keycloak IDP's in completely different networks. That means, both Keycloak instances cannot see each other. However, the user (from the browser's point of perspective) can access both instances over a vpn connection. We would now like to "connect" both keycloak instances over identity brokering in a way that both instances can perform the authentication process without communicating directly with each other (maybe indirectly through the user's browser). We set up IDP brokering between both and everything worked fine to the point where the brokering instance performs a call-back to the other instance which of course led to an unknownhostexception.
>
> The question is therefore: is there a way to pass user data between both keycloak instances without direct communication but through a browser authentication flow. Or would that be a security risk?
>
> Regards
> Jonathan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list