[KEYCLOAK-7270] First Broker Login Link Without Authentication - Red Hat Issue Tracker

XML

Word

Printable

Details

Type: Enhancement
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 4.5.0.Final
Component/s: Authentication
Labels:
- identity-brokering
- team-core

Docs QE Status:
NEW
QE Status:
NEW

Description

In the scenario where a domain has multiple Kerberos realms of users it is useful to allow users which exist in both realms to authenticate with either account. When Kerberos cross-realm trusts are not an option, using identity provider brokering seems like a good alternative. However, by default Keycloak prompts users to authenticate before the link between accounts can be made. This is unnecessary in the case where an internal domain trusts that there is a one-to-one relationship with usernames and email addresses between realms.

The following mailing list entry suggests a Jira be created for this enhancement and I couldn't find one so I'm creating a new Jira now:

http://lists.jboss.org/pipermail/keycloak-user/2016-June/006653.html

A workaround "hack" might be to have an automated cron job running with admin credentials periodically post to the JSON web endpoint of each user to create the link. This sounds problematic though with timing concerns and clearing of cached users.

Attachments

Issue Links

duplicates

KEYCLOAK-7720 First Broker Login flow - ability to link with existing users OOTB

Closed

is related to

KEYCLOAK-1727 LDAP with Kerberos, login with different user

Closed

KEYCLOAK-3842 SPNEGO: Support for multiple kerberos realms

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Ryan Slominski (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2018/05/01 11:18 AM

Updated:: 2020/10/27 4:34 AM

Resolved:: 2018/09/12 12:51 PM