Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-869

Transient users as an option to not import users from identity brokers

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      In Keycloak, it is currently not possible to do Identity Brokering without having the external user imported into the Keycloak server as a local user account stored in the Keycloak Database.

      Being conform to GPDR by not storing user data in the local DB is critical to many organizations using Keycloak with identity brokering to external IdPs.
      The GDPR aims to make organizations responsible for the processing and security of the personal data they collect. Businesses that don’t comply with the GDPR risk fines of up to €20 million ($23 million) or 4% of their gross annual income from the previous year, whatever is highest.

      Keycloak 23 community release introduced transient-users for brokering as an experimental feature. When using Keycloak as an identity broker, an admin can configure the Keycloak server to not create users in its local database when a user authenticates with an external identity provider. So these transient users are only
      stored within a specific user session and they cease to exist once that session is removed. This conforms to the ‘storage limitation’ as per GDPR Art. 5 that defines the principles relating to processing of personal data.

      To unlock customers wanting to use Keycloak but with GDPR compliance requirements, we need to graduate the transient-users feature to GA supported feature asap.

            sthorger@redhat.com Stian Thorgersen
            rhn-support-igueye Issa Gueye
            Keycloak Core IAM
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: