[keycloak-user] Advice on setting up realms

Sebastien Blanc sblanc at redhat.com
Thu Mar 21 12:14:13 EDT 2019


On Thu, Mar 21, 2019 at 4:58 PM Olivier Rivat <orivat at janua.fr> wrote:

> Hi Chris,
>
>
> Couple of points:
> 1) >  Can I make these two types of user coexist in a single realm, or
> do I need to split it up?
>
> -Authentication is on a per realm basis
> For authentication you configure a corresponding authentication flow, by
> default for the entire realm.
>
> With 4.X and, 5.0, you can override the default authentification flow,
> for specific client applications
>
> If you want 2 different ways to authenticate (staff with 2FA,
> username/apssword + TOPTP ), and external with 1FA (username/password)
> best is to have to different realms, withe one realm for staff an other
> for external people
>
Unless staff and partner do not access the same clients, in this case you
can override the auth flow as Olivier said before

>
>
> 2) > How can I enforce policies such as requiring TOTP for our staff?
> You just have to indicate that TOTP is required in the realm staff
> suathentication flow
>
same remark as in 1)

>
>
> 3) > Can I prevent users from changing their email address and name in
> the account console while still permitting password and authenticator
> changes?
> At first glance, there seems no specific tuning for this, unless writing
> a specific custom plugin.
> In the "required Actions" of your auth flow, "Update Profile" is enabled
> by default , if you disable it they won't be able to change their profile
> but still able to configure OTP and change their password.
>
> Vist also our web site for info about TOTP, and realms:
> http://www.janua.fr/tag/technical-blog/
>
>
> Don't hesitate to come back to us if you need any further help
>
> Regards,
>
> Olivier Rivat
>
>
>
> <http://www.janua.fr/images/logo-big-sans.png><
> http://www.janua.fr/images/LogoSignature.gif>
>
>         <http://www.janua.fr/images/6g_top.gif>
>
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> Tél: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
>         <http://www.janua.fr/images/6g_top.gif>
>
>
> Le 21/03/2019 à 15:56, Chris Boot a écrit :
> > Hi folks,
> >
> > I’ve been looking for an IdP solution for my employer for months and
> > have felt like I’ve been going round and round in circles, until I
> > finally gave Keycloak another try. It’s like a breath of fresh air! So
> > thanks folks.
> >
> > Our Keycloak instance will be used to protect about a dozen
> > applications, things like our wiki, monitoring control panel, and so on.
> > We’ll have two different types of users who will need to use the IdP and
> > login to these applications: staff and partners.
> >
> > Staff will need to login using LDAP federation and will be required to
> > use TOTP. They should not be able to use social providers to log in.
> > Staff will use their email address to login and all will use a single
> > RHS domain for their email addresses.
> >
> > Partners will not have LDAP accounts, and should be able to opt-in to
> > use TOTP. They should ideally also be able to link social accounts (e.g.
> > Google or GitHub) to their existing records. Anyone not using our
> > corporate email domain, but who has an account, should be considered a
> > partner.
> >
> > Some of our applications can only be configured with a single OIDC or
> > SAML provider, so Keycloak would need to handle both types of accounts
> > (e.g. staff / partner) from a single login interface.
> >
> > I therefore have a few questions about how I might achieve such a setup:
> >
> > - Can I make these two types of user coexist in a single realm, or do I
> > need to split it up?
> >
> > - How can I enforce policies such as requiring TOTP for our staff?
> >
> > - Can I prevent users from changing their email address and name in the
> > account console while still permitting password and authenticator
> changes?
> >
> > Thanks in advance for any suggestions.
> >
> > Cheers,
> > Chris
> >
> --
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list