[keycloak-user] brokered-login only

lists lists at merit.unu.edu
Mon Jun 25 10:30:38 EDT 2018 

Hi,

ok, that seems like a  lot of things to keep into consideration for 
(what I guess) would be the most basic use case:

create a dedicated 'brokering' realm, where users can only logon 'brokered'.

I mean, to combine 'local' and brokered users in the same realm would be 
more unlikely and advanced..right?

(in our case, for example: we have setup a keycloak realm for our 
ldap-federated users, and now want to setup a second realm to facilitate 
SSO between our users and those of some other remote networks)

What I am saying: Isn't it more likely to have a brokered-only realm(s), 
plus other realms with local users?

So shouldn't it be 'normal standard behaviour' to disallow local logons 
for brokered accounts?

Or am I missing something here..? From what I see, you would normally 
want to rely on the remote IdP's data for authentication, and (almost?) 
never on a local administrative 'ghost copy' of it?

Probably there is something I am missing though...?

MJ

On 25-6-2018 15:38, pkboucher801 at gmail.com wrote:
> You will need auto-linking of IDP to internal account as well, so they won't
> be asked for their password in order to approve linking their Keycloak
> account to the IDP.
> 
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
> Sent: Monday, June 25, 2018 5:25 AM
> To: Corbetta, Francesco <fco at iec.ch>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] brokered-login only
> 
> Yes, sure.
> 
> If you need to just override themes, you may not need to override
> authentication flow. But if you need to override UsernamePassword
> Authenticator and change the implementation, so that it doesn't allow to
> login with username/password at all, then you will need to add this
> authenticator implementation into new browser authentication flow. Maybe
> instead of overriding UsernamePassword authenticator, it's easier to create
> new implementation of authenticator, which will just show the Freemarker
> form with links to brokers (No username/password). In that case you will
> also need to create new authentication flow and add that new authenticator
> implementation to it.
> 
> Marek
> 
> On 25/06/18 08:57, Corbetta, Francesco wrote:
>> Hello
>>
>> What about changing the browser authentication flow?
>>
>> Best
>>
>> Francesco
>>
>> -----Original Message-----
>> From: keycloak-user-bounces at lists.jboss.org
>> <keycloak-user-bounces at lists.jboss.org> On Behalf Of Marek Posolda
>> Sent: 25 June 2018 08:49
>> To: mj <lists at merit.unu.edu>; keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] brokered-login only
>>
>> It's possible to remove username/password fields from login screen by
> doing custom theme and override freemarker template for login screen.
>>
>> You may need to remove tab "password" from account management as well so
> that users are not able to set their password here. This can be also
> achieved through theme.
>>
>> Thing is, that after changing themes, users will be still able to login
> with their username/passwords if they "simulate" sending the same HTTP
> request, which login screen is sending (they can also simulate changing
> their password in account management by HTTP request even if "password"
>> tab is not in the UI). So if you expect to have malicious users, which
> would try to do something like this and you want to be safe and avoid this,
> you may need to change/override the UsernamePassword Authenticator too and
> avoid authentication of users with username/password. Then login with
> username/password will be impossible even if user is trying to "simulate"
> the request like this.
>>
>> Marek
>>
>>
>> On 24/06/18 14:30, mj wrote:
>>> Hi,
>>>
>>> Is there a way to create a realm in keycloak with a few brokered IdP's,
>>>      *without* the local username/password fields on the login screen,
>>> but
>>> *only* a list of external IdP's to choose from?
>>>
>>> Thanks!
>>>
>>> MJ
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list