-
Feature
-
Resolution: Unresolved
-
Undefined
-
None
-
False
-
-
False
In Keycloak, it is currently not possible to do Identity Brokering without having the external user imported into the Keycloak server as a local user account stored in the Keycloak Database.
Being conform to GPDR by not storing user data in the local DB is critical to many organizations using Keycloak with identity brokering to external IdPs.
The GDPR aims to make organizations responsible for the processing and security of the personal data they collect. Businesses that don’t comply with the GDPR risk fines of up to €20 million ($23 million) or 4% of their gross annual income from the previous year, whatever is highest.
Keycloak 23 community release introduced transient-users for brokering as an experimental feature. When using Keycloak as an identity broker, an admin can configure the Keycloak server to not create users in its local database when a user authenticates with an external identity provider. So these transient users are only
stored within a specific user session and they cease to exist once that session is removed. This conforms to the ‘storage limitation’ as per GDPR Art. 5 that defines the principles relating to processing of personal data.
To unlock customers wanting to use Keycloak but with GDPR compliance requirements, we need to graduate the transient-users feature to GA supported feature asap.
- relates to
-
RHSSO-2217 Identity Broker login without having the user account created/imported or present in Keycloak database
- Closed