[Freeipa-users] Re: keycloak - the other way around?

On ti, 09 marras 2021, Fraser Tweedale wrote: > On Mon, Nov 08, 2021 at 09:45:39PM +0000, lejeczek via > FreeIPA-users wrote: >> Hi guys. >> >> I've only stumbled upon whole Keycloak thing thus go >> easy on me please. I >> wonder if Keycload can be a "provider" to freeIPA in >> some way? >> One such a scenario where I think Keycloak might be a >> golden egg - if it >> worked that is - is as a "middle-man" for user base >> between(or from to) AD >> and freeIPA when full & legit trust is not possible. >> Does that make sense? >> >> many thanks, L. >> > Hi L, > > It does make sense, and IIRC it is being worked on.  That > is, > authenticating to FreeIPA realm as "external identities" > by way of > SAML or OpenID Connect assertions. > > Adding Alexander, who may be able to comment further. There is an ongoing work to enable this feature. It is not ready yet for any testing as we had been distracted with more important work[1] recently. Hopefully, we'll get back to external IdP support[2] relatively soon. [1] https://lists.samba.org/archive/samba-technical/2021-November/136978.html [2] https://github.com/abbra/freeipa/blob/external-idp/doc/designs/external-i...