Replies: 9 comments 8 replies
-
|
I'd like to see this get pushed as well. Apple now require Shared Signals Framework to support third party IDPs |
Beta Was this translation helpful? Give feedback.
-
|
I'd love for keycloak to at least stub out an SSF implementation to fool the Apple "Set up your custom identity provider form" to let me click "Continue". It currently doesn't let you proceed without providing an SSF Config URL Apple docs: https://support.apple.com/en-au/guide/apple-business-manager/axmfcab66783/web |
Beta Was this translation helpful? Give feedback.
-
|
Signed up to Github just to +1 Steve's reply. Being able to use KeyCloak with Apple School Manager would be a complete game-changer! |
Beta Was this translation helpful? Give feedback.
-
|
I believe that that Keycloak supporting the reception of events from an external IdP would be great. For instance, in a Social login scenario using a Digital Wallet, perhaps Keycloak could add more friction to the login process if it receives RISC events related to that Identity |
Beta Was this translation helpful? Give feedback.
-
|
+1 for Apple School/Business Manager support |
Beta Was this translation helpful? Give feedback.
-
|
There is also https://caep.dev which provides mock backends to implement custom transmitters. One can create a receiver for testing here: https://caep.dev/receiver/streams |
Beta Was this translation helpful? Give feedback.
-
|
I started to work on the SSF support for Keycloak here: https://github.com/thomasdarimont/keycloak/tree/poc/shared-signals The relavant (PoC) code can be found here: https://github.com/thomasdarimont/keycloak/tree/poc/shared-signals/services/src/main/java/org/keycloak/protocol/ssf I'm currently focussing on the transmitter part of the spec to let Keycloak propagate security relevant events as SETs (security event tokens). This involves, to expose transmitter metadata, offer ways to manage (CRUD) streams and subjects, as well as propagating events via push / pull mechanisms. After that we can add support to let Keycloak act as SSF receiver. My current implementation is still very early and requires some additional infrastructure (reverse proxy) to be used with tools like https://caep.dev - the reason for this is that the spec mandates to expose the .well-known endpoint with the transmitter metadata at the root if the domain. Instead of https://id.example.org/realms/demo/.well-known/ssf-configuration, we have to use https://id.example.org/.well-known/ssf-configuration or https://id.example.org/.well-known/ssf-configuration/demo. Disclaimer: I also work on the OpenID Conformance Tests for the SSF Framework and occasionaly work on the Keycloak side of things to have another "reference" to "test" the tests during development. |
Beta Was this translation helpful? Give feedback.
-
|
@thomasdarimont have you had any further progress on this since January? Any roadblocks? |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for asking! Adding SSF support to Keycloak directly posed a bit of a challenge, as it was unclear how SSF should be adopted. To get some more experience with this I created a prototype extension for SSF support that allows Keycloak to act as a SSF receiver: https://github.com/identitytailor/keycloak-ssf-support with pluggable security event handlers. |
Beta Was this translation helpful? Give feedback.
-
|
@thomasdarimont would you say the prototype was successful? Is it something that you now plan on submitting as a PR to the keycloak repo? |
Beta Was this translation helpful? Give feedback.
-
|
@thomasdarimont ping? ^ |
Beta Was this translation helpful? Give feedback.
-
|
Looks like authentik is now advertising this as a major win over keycloak. https://goauthentik.io/pricing/ https://docs.goauthentik.io/docs/add-secure-apps/providers/ssf/ |
Beta Was this translation helpful? Give feedback.
-
|
I would rly appreciate SSF Support. We're using Apple School Manager at our School and Keycloak as SSO and Apple requires SSF for OIDC Login... |
Beta Was this translation helpful? Give feedback.
-
|
Can KeyCloak currently support acting as a SSF transmitter, I want to integrate ABM federated authentication, which requires OIDC and SSF. |
Beta Was this translation helpful? Give feedback.
-
|
We also need this. Both transmitter and receiver. @thomasdarimont we'd be happy to contribute in most ways I can currently think of (incl. development, testing, documentation, ...). |
Beta Was this translation helpful? Give feedback.
-
|
FYI I created the following issue #43614 to provide an initial SSF implementation based my previous prototype |
Beta Was this translation helpful? Give feedback.
-
|
I created another issue #43614 to track only the parts with the SSF Transmitter. I also sends a PR that adds SSF transmitter capability to Keycloak and also makes Keycloak compatible with Apple Business Manager: #48256 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
To quote the OpenID Shared Signals and Events working group page:
This recently gained some traction, with the OpenID RISC Profile Secification 1.0 being adopted as an OpenID implementer's draft: https://openid.net/2022/08/27/second-implementers-draft-of-risc-profile-approved/
This website from Cisco and the OpenID foundation does a great job at explaining what it is: https://sharedsignals.guide
Conceptually, it is a framework send security events between parties. There are currently two specs defining types of events:
I think it would make sense for Keycloak to support at least some of those events, both as a transmitter (the party sending those events) and as a receiver (the party getting those events). Personally, I'm interested with Keycloak sending those events, but receiving them would help for example to use Google's Cross-Account Protection (which is their marketing name for RISC events)
Beta Was this translation helpful? Give feedback.
All reactions