Custom Authenticator for OpenID Keycloak realm

Question

I am currently evaluating keycloak as central Identity Manager for multiple a backend with multiple REST services (Resteasy/Wildfly).

After a lot of trial and error and reading the docu, I have succeeded in succesfully making an openid connect login into my custom keycloakrealm (analogue to this post http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html )

I can see the acces token + id_token coming in the response and are able to make requests to the REST services by passing these tokes.

However I can only authenticate using the credentials of the users defined in keycloak itself. However, in our reallife case, the users reside in SAP and are unknown to keycloak.

We do, however have a javalibrary for authenticating these users over the SAPJCO connector.

Can anyone please tell me how to configure keycloak to use a "custom authentication" module for the actual authentication?

Is implementing a custom authenticator SPI ( https://keycloak.gitbooks.io/server-developer-guide/content/v/2.1/topics/auth-spi.html ) the way to go? If not, what wuold be a possible solution???

Hope you guys can help!

Reagrds,

Kim Zeevaarders The Netherlands

Answer 1

If you can access the SAP users details via the SAPJCO connector then you could write a custom Federation Provider . The provided example is rudimentary but it give the basic idea and maven dependencies.

In a nutshell you will need to extend org.keycloak.models.UserFederationProvider and provide methods for obtaining user details, validation of credentials and searching by attributes. In your case you would use your SAPJCO connector to fulfil each of these functions against your existing user base.

Update 30 May 2018

The User Federation SPI was replaced with a new User Storage SPI in release 2.5. Migration Notes are available here