►
From YouTube: OpenShift Commons Briefing #35: SSO Best Practices. Keycloak Integration with OpenShift
Description
This session will give an overview of Keycloak integration with OpenShift Enterprise. KeyCload is an Integrated SSO and IDM for browser apps and RESTful web services. Built on top of the OAuth 2.0, Open ID Connect, JSON Web Token (JWT) and SAML 2.0 specifications.
Keycloak has tight integration with a variety of platforms and has a HTTP security proxy service where we don’t have tight integration. Options are to deploy it with an existing app server, as a black-box appliance, or as an Openshift cloud service.
We demoed:
1) How to spin up the SSO Server and the recommended manual configuration once it’s up
2) How to spin up the example SSO-enabled, EAP7-based applications using the SSO Server for single sign-on.
3) How to spin up 1 and 2 at once using the demo “all-in-one” template.
For the latest information on OpenShift 3.1 and available briefings, please visit http://commons.openshift.org or subscribe to the OpenShift Blog (https://blog.openshift.com).
The OpenShift Commons exists to provide a platform for customers, partners, developers and other open source technology initiatives to collaborate, share and accelerate the pace of innovation and adoption of OpenShift globally.
The OpenShift Commons represents a new open collaborative community model designed to facilitate communication and sharing of best practices, feedback and development across the many open source initiatives that integrate with OpenShift. The best way to get involved is to join the conversation today at http://commons.openshift.org
A
Well,
hello
and
welcome
everybody
to
the
spoken
Commons
briefing
today.
We're
really
pleased
to
have
a
presentation
on
best
practices
for
SSO
and
we're
going
to
be
talking
about
using
a
creek
clerk
for
our
open
ship
Enterprise.
We
have
with
us
build
the
cost.
With
the
software
engineer
on
the
open
ship
team
and
Diogenes
Vettori
who's,
one
of
our
product
managers
for
open
shift
as
well,
and
we're
going
to
do
this
so
that
we
let
the
guys
give
a
20
30
minute
presentation
with
a
demo
and
then
afterwards,
we'll
do
Q&A.
A
B
Right
thanks
everyone
for
your
time
again,
the
origins
rhetoric
here,
I'm
happy
to
have
you
joining
me,
so
this
today
I'm
going
to
talk
a
little
bit
just
do
a
level
set
on
some
of
the
media
services.
We
have
an
open
shift
already
and
then
a
little
bit
on
our
ideas
for
SSO
and
then
after
that,
we're
gonna
have
bill.
Doing,
let's
say
the
majority
of
the
work
so
he's
the
man
here,
they've
been
doing
very
cool
demonstrations
for
you,
so
bill
necks
like
this
go
Thanks.
So
this
is.
B
These
are
some
of
the
services
we
have
on
open
ship
today.
So
right
hat,
we
are
we
work
with
ourselves
and
we
work
with
partners
to
bring
more
and
more
capabilities
into
open,
shipped
some
of
the
services
that
already
are
available
there.
Some
of
the
types
of
workloads
you
can
run
an
open
shift
or
mention
here
I've
just
mentioned,
like
let's
say
the
most
popular
ones,
we've
seen,
which
is
JBoss
EAP.
B
So
we
have
today
too
bossy
if
you
run
an
open
shift
and
our
integration
is
such
that,
for
example,
if
you
spin
up
two
containers
of
JBoss
it
automatically
creates
and
configure,
is
a
cluster
for
you.
So
you
don't
have
to
do
anything.
We
have
just
recently
added
our
a
decision
service
which
comes
from
the
business
rules,
management
system
product
and
with
that
you
can
make
sure
your
rules,
execution
I,
happen
happen
from
your
application
source
code
and
you
can
evolve
your
business
rules
separately
from
the
rest
of
your
application.
B
We
recently
added
a
data
cache
in
solution
distributed
data
caching,
solution
of
data
grid.
You
can
also
have
your
very
nice
kami
routes
running
as
individual
microservices
before
a
few
solution.
We
had
messaging
already
and
I'm
sure
you
know
that
beginner
also
Tomcat
and
integrative
JBoss
developer
studio
as
well.
Next
slide,
please.
So
this
there
are
other
types
of
services
that
we
wanted
to
bring
to
the
OpenShift
platform.
B
So
before,
let's
say
they
were
essentially
services
to
beauty
or
application,
but
we
believe
there
are
also
infrastructure
services
that
your
application
requires
right
or,
let's
say
even
API
services.
So
will
be
soon
introducing
API
services
to
open
shipped
via
API
management,
and
the
community
project
is
API
men,
so
we
have
work
under
going
to
have
a
a
P
I
managing
gateway
and
openshift
integrated
with
the
platform,
so
we'll
be
able
to
secure
API
is
control
access
to
it.
B
However,
all
from
the
openshift
platform
in
another
very
common
request-
we
have
another
very
common
use
case-
is
the
ability
to
secure
applications
itself
from
from
from
another
perspective,
and
now
so
now
allowing
single
sign-on
so
we're
introducing
jboyeskie
cloak
as
a
tech,
preview
and
openshift.
The
name
of
the
product
is
Red.
Hat
single
sign-on,
open
ship
does
the
first
ones
to
receive
this.
The
stack
preview.
It
has
not
been
announced
to
the
general
public,
so
it
is
available
for
customers
and
people
that
want
to
try
to
an
open
shift.
B
So
it's
going
to
be
very,
very
happy
to
have
build
demonstrating
this,
and
our
intention
with
single
sign-on
is
that
again
we
do
the
hard
lifting
for
you.
You
define
your
your
your
roles
in
your
own
application
and
then
connect
your
application
to
our
single
sign-on,
and
you
don't
have
to
do
anything
else
right.
So
if
that
tanks
and
I'm
going
to
transition
over
to
Bill
who's
going
to
be
lets,
say
explaining
a
little
bit
more
in
details,
what
we're
talking
about
and
running
few
demos
do
when
you
thank
you
thanks,
Dan.
C
Great
thanks,
thank
so
much
needs
just
a
check,
and
can
you
hear
me?
Okay,
okay,
great,
so
I'll
go
through
a
couple
of
slides
quickly
and
then
I'll
jump
over
to
a
demo.
I
think
a
demos
worth
of
thousand
slides
particular
in
this
case.
So
what
I'm
going
to
focus
on
is
is
really
what
we're.
What
we've
got
today
for
docker
images
or
OpenShift
images
for
SSO
and
for
enabling
SSO
for
je
application.
C
When
you
actually
go,
you
know,
drop
your
war
file
onto
an
application
server
and
it's
it's
got
a
trigger
in
that
that
says:
hey
I
want
to
be
SSO,
enabled
it'll
go
configure
both
the
SSO
server,
the
key
folks
server,
as
well
as
all
the
configuration
over
on
the
application
side
as
well.
Today
we
support
EAP
based
web
app,
essentially
war
deployment.
So
you
know
web
applications
and
and
web
services.
C
There
is
the
SSO
or
key
cloak
server
image,
there's
and
then
there
are
two
other
images
that
we've
one
has
been
out
for
a
while:
the
EAP,
six
or
openshift
image,
and
there's
one
that's
in
beta
right
now
for
EAP
seven,
and
these
have
been
enhanced
so
that
they're
they've
now
got
SSO
kind
of
enabled
capabilities
which,
which
you'll
see
in
the
devil,
so
dig
a
little
bit
deeper
into
each
one
of
these.
The
the
key
cooker
SSO
server
is
really
just
a
je
application,
so
it's
deployed
on
top
of
its
own
EAP,
seven
instant.
C
A
couple
kind
of
details
we
we
actually
base
this
particular
image
on
a
standalone
image
which
is
non
OpenShift
goodness.
So
it's
just
a
straight
docker
image
and
just
like
all
the
other
images
that
we
provide
for
kind
of
a
JBoss
support,
portfolio
or
XPath,
you
can
go
and
can
modify
the
configuration
of
each
one
of
these
images
by
passing
in
environmental
variables.
We'll
see
a
little
bit
of
that
in
the
demo,
but
a
generic
example
is
hey.
I
need
to
go
and
enable
HTTPS
right.
C
So
where
am
I
going
to
go
and
point
it
to
the
proper
certificates
or
key
pairs?
One
of
the
other
kind
of
key
pieces
of
the
SSO
server
configuration
is
in
you
can
go
and
create
all
of
the
server
configuration
in
one
big
JSON
file
and
import
it
and
export
it.
We
have
that
capability
as
well
inside
of
OpenShift.
C
So
if
you
don't
want
to
do
manual,
configuration
you've
got
your
blessed
SSO
server
configuration
you
can
go
and
import
that
we
use
open
ship
secret
mechanisms
to
provide
that,
and
also
one
other
piece
that
I
just
wanted
to
mention.
Is
we
on
the
box?
We'll
go
create
an
ADD
and
or
a
user
with
admin
capabilities.
C
Obviously,
that's
configurable.
When
you
go
and
actually
spin
up
the
server,
then
the
next
kind
of
quick
point
is
the
EAP
six
and
EAP
seven
images
they
both
say.
Essentially
what
it
is
is
all
the
capabilities
for
enabling
SSO
for
your
deployed
applications
than
it
is
in
there
and
the
when
you
actually
go
to
for
your
application.
The
image
will
notice
that
it's
either
a
keyed
for
there's
it's
kind
of
a
trigger
in
there.
C
C
What
will
happen
is
it'll,
go
and
make
a
call
over
to
the
SSO
server
to
say:
hey
here,
I'm,
a
new
app
that
needs
to
be
secured
through
key
cloak
and
auto.
Configure
me
a
particular
client
and
until
it'll
do
all
the
configuration
on
on
the
SSO
server
side,
and
it
will
also
do
the
configuration
on
the
internals
of
the
app
server,
the
EAP
instance,
where
the
application
itself
is
support.
C
C
That's
a
templates,
hopefully
everybody's
familiar
with
open
chef
templates
in
a
nutshell.
What
they
do
is
they
give
you
the
capability
to
go
and
and
spin
up
one
or
more
different,
pods
or
pieces
of
your
application
and
auto
configure
them
or
hook
them
all
together.
So
we've
got
a
couple
of
different
templates
out
there
there's
a
whole
bunch
of
them
for
the
SSO
server
itself,
where
you
can
go
and
say:
hey,
I
want
an
SSO
server
and
I
want
it
to
be
backed
by
XYZ
database.
C
Where,
in
this
you
know,
we
can
either
use
the
embedded
EAP
h2
database,
you
could
hook
it
up
to
an
external
Postgres,
that's
running
in
some
other
containers
or
other
pods
get
over
my
sequel.
You
can
decide
whether
you
want
the
database
to
be
persistent
or
non
persistent.
Openshift
is
got
a
capability
where
you
can
back
the
database,
whether
it's
a
an
NFS
mile,
so
you've
got
templates
for
all
that
stuff,
really
easy
to
go
spin
all
this
stuff
up
and
that's
what
the
demo
whole
show
I'm
similar.
C
C
This
does
require
a
little
bit
of
manual
configuration
you've,
got
to
go
and
spit
up
manually,
go
and
configure
a
little
bit
of
the
SSO
server
go,
create
users
and
roles
and
realms,
and
this
is
the
normal
way
that
people
are
going
to
do
things
right.
They're
gonna
go
spin
up
an
SSO
server
and
then
they'll
go
deploy,
applications
out
to
multiple
different
pods
or
containers
where
their
applications
are
deployed.
So
there's
a
little
initial
kind
of
set
up
to
go
and
set
up.
You
know
the
users
and
roles
and
a
particular
realm
or
well.
C
However,
we've
also
got
to
kind
of
get
started
really
quickly.
We've
got
some
templates
that
you
really
for
demo
purposes,
but
it's
a
good
way
to
get
started
that
you
can
go
and
by
executing
one
of
these
templates,
you'll
can
spin
up
the
whole
thing
and
it'll
auto
wire.
There's
no
manual
configuration
at
all,
so
this
is
a
good
way
to
go,
get
started.
We
can
go
fire
this
one
template
off
and
it'll
spin
up
the
server
the
EAP
it'll,
deploy
your
applications,
contribu
be
good
to
go
and
at
the
very
end
of
the
demo.
C
Hopefully,
we've
got
time
and
everything
goes
smoothly.
I
could
be
published.
I'll
show
that
piece
as
well
and
just
lastly,
there's
a
couple
of
different
points.
I
just
want
to
make
out
of
all
the
a
lot
of
good
stuff
up
a
key
cloaked
org
we're
just
good
talking
right
now
about
je
applications
deployed
the
EAP,
but
up
on
the
community
side,
there's
office
of
other
adapters
for
other
frameworks
or
platforms
that
keep
poke
support
and
the
images
that
we're
talking
about.
C
D
D
B
C
Thanks
anything
thanks
thanks
everybody
for
joining
know,
can
you
guys
stay
in?
You
can
see
my
screen.
Still,
okay,
you
can
see
the
VM.
It
looks
perfect.
Okay,
so
I've
got
an
open
ship
incident
just
running
locally.
It's
a
master
in
a
node,
so
I'll
get
everything
just
running
inside
of
one
single
VM
and,
as
you
can
see,
I've
been
a
demo
project.
Setup
and
I've
got
absolutely
nothing
running
inside
of
my
project
to
start
so.
C
C
D
C
So
now
see
that
that
Postgres
is
going
to
spin
up
and
then
the
SSO
server
itself
is
going
to
spin
up
now.
You'll
you'll
notice
here
that
I
didn't
I,
didn't
pass
in
any
environmental
variables
right
because
we
try
to
get
these
templates
all
to
work
out
of
the
box
with
defaults.
So
in
this
case
it's
going
to
go
spin
up.
These
particular
applications.
Postgres
is
up,
Postgres
is
ready.
The
SSO
server
is
coming
up.
C
This
is
he
this
is
the
application
I'm
going
to
go
to
poi.
So
if
you
go
take
a
look
up
and
get
hub,
github
people
keep
poker
examples.
There
are
four
different
out:
there's
a
bunch
of
different
applications
in
here,
but
I'm
going
to
focus
on
the
EAP
based
applications
of
the
je
based
application,
app,
je
Profile,
je
sam'l,
which
is
a
sam'l.
The
other
ROI
DC
I
have
profile
je
and
service
Jackson
RS,
which
is
just
a
web
service.
We've
got
three
kind
of
web
front-end
applications
and
a
web
service
application
on
the
backend.
C
C
So
this
is
the
SSO
server
itself
right.
So,
as
I
said,
the
initial
image
is
going
to
have
an
initial
admin
user.
That's
just
admin
admin
if
I
wanted
to
go
and
create
another
admin.
There's
a
you
know.
If
you
had
passed
in
an
e
and
B
here
to
go
and
specify
whatever
your
admin,
user
and
credentials
would
be.
That's
how
you
do
it.
So
let
me
go
login
okay,
so
this
is
the
key
cloak
console.
C
The
first
thing
I'm
going
to
do
for
my
demo
is
I'm
going
to
go,
create
another
realm,
create
a
demo
realm
and
there's
a
key
pair
and
a
certificate
associated
with
every
realm.
So
I'm
going
to
copy
this
realm
certificate
into
my
sheet
to
eat
and
I'll.
Explain
this
a
little
bit
more
detail
when
I
get
over
to
deploy
my
application,
but
bear
with
me
for
a
second
I
just
want
to
preserve
that
public
key
for
when
I
deploy
my
apps.
C
The
next
thing
I'm
going
to
do
is
I'm
going
to
go,
create
some
roles,
so
the
roles
that
I'm
going
to
create
if
I
hop
back
over
to
the
application
source,
if
I
just
pick
one
of
these
I'll
take
the
web
services
one
if
I
go
inside
of
the
web
services,
applications
and
I
take
a
look
at
the
metadata.
That's
associated
with
the
web,
app
you'll
notice,
a
couple
of
things:
you'll
notice.
C
You
know
this
is
normally
be
something
like
basic
or
form,
but
in
this
case
this
is
the
flag.
That's
going
to
indicate
that
we've
deployed
this
application,
it's
going
to
tell
the
image:
hey,
I'm
a
you
know,
a
key
cloak
or
an
SSO
enabled
application.
I
need
to
be
on
a
wired
right.
Go
do
all
that
magic
configuration
so
that
I'm
secured
to
the
episode.
C
And
then
I'm
going
to
go,
create
some
some
users,
just
for
the
demo
purposes,
I'm
going
to
do
all
the
kind
of
the
user
management
through
SSO
or
key
cloak
itself,
so
I'm
going
to
go,
create
the
first
thing:
I'm
gonna
do
is
I'm
going
to
go,
create
a
service
user
and
this
isn't
an
end
user.
This
is
really
just
a
user.
C
That's
got
the
right
to
go
and
do
some
management
inside
of
the
realm,
so
that
it's
this
is
only
going
to
be
used
to
have
one
of
the
the
pod
that
is
running
the
application,
be
able
to
talk
to
the
key
code,
server
directly
and
change
the
config
and
that's
how
all
of
its
kind
of
auto
magic
wiring
happens.
So
let
me
save
the
service
user
I'm
going
to
go,
give
it
some
real
credentials.
I'm
just
going
to
put
in
password
for
the
password
save.
C
I'm
going
to
this
guy
some
realm
management
capabilities
again
this.
This
isn't
something
you
necessarily
give
to
the
end
user,
but
this
is
just
for
kind
of
internal
odd,
the
pod
communication.
You
know
application
configuration
over
the
organization,
okay
and
then
now
it's
going
to
go,
create
an
end
user
user.
So
I'm
gonna
call
this
guy
demo
user.
C
That
the
password
and
now
I'm
going
to
give
this
end
user
the
end
user
privileges.
So
we
can
actually
has
the
rights
to
access
the
different
resources
within
the
sample
application.
So
this
is
all
I'm
going
to
do
to
go
and
set
up
the
demo
manually
on
the
SSO
server,
sighs,
so
the
next.
The
next
step
is:
ok,
great
we've
been
arrested
for
server
setup
and
running
already
for
some
applications.
Those
four
applications
that
I
had
talked
about:
let's
go
to
poi
those
applications.
Okay,
so
here's
the
next
command
that
I'm
gonna
go
issue.
C
C
Okay,
so
we'll
see
right
here,
a
build
pops
up
right,
so
this
image
is
now
downloading
all
the
source
from
from
github
up
here,
gonna
do
the
build
spin
up
another
pod?
That's
got
EAP
running
in
it,
deploy
those
applications
and
do
all
the
arts
they
automatic
and
fig.
One
thing
I
do
want
to
show.
While
that's
going
on
is
right
now,
there's
no
clients
right.
These
clients,
you
know,
correspond
to
the
end
user
applications
or
they
will
so
there's
nothing
set
up
here.
C
There
will
be
once
the
the
applications
are
all
deployed
and
get
up
are
up
and
running.
So
let
me
come
back
and
and
explain
what's
going
on
in
that
command
that
I
just
issued.
So
the
first
thing
is
I'm
using
the
SSO
enabled
EAP
7
template
right
and
s2i
means
that
hey
this
is.
This
is
actually
going
to
pull
some
source
down
and
do
a
build
and
then
go
and
build
another
image
with
built
source.
C
So
I
can
go
deploy
that
that
combo
image
I'm
giving
the
application
a
name
itself
in
this
case
I'm
just
calling
it
hello
world
I.
Also-
and
this
is
maybe
the
most
important
part
I-
also
passed
in
I-
said
hey:
where
is
the
SSO
or
people
oak
server
right?
So
it's
over?
It's
secure,
SSO,
demo
cloud
apps
example.com,
which
is
exactly
what
I'm
looking
at
here
right,
so
I'm,
just
pointing
the
app
server
where
the
applications
are
the
SSO
server.
So
it
knows
how
to
talk
to
it.
C
As
a
cell
realm
is
demo,
that's
the
one
I
manually
created
public
key.
We
had
talked
about
it's
not
required,
but
recommended
to
actually
pass
that
in,
and
then
here
is
the
SSO
username
and
password
that
I
also
want
and
created.
This
is
the
service
user,
not
the
end
user
right.
So
this
is
the
user
that
has
the
realm
management
capability,
which
is
going
to
allow
this.
This
user
make
a
call
over
from
the
the
application
pod
to
go
and
pen
modify
and
create
the
corresponding
client.
So
you
don't
have
to
go.
C
Do
all
that
manually
and
I've
also
modified
the
branch
that
I'm
pulling
it
up
from
github,
in
this
case
the
templates
right
now
we're
tied
to
for
the
tech
preview
but
I'm
using
the
latest
and
greatest
stuff.
So
you
can
go
and
modify
hey
where
do
I
want
my
source,
what
branch
up
and
github
all
that
kind
of
good
stuff?
Okay,
so
let's
come
back
and
see
where
we
are
okay,
so
everything's
kind
of
been
up
and
running
the
build
happened,
hello
world.
So
this
is
my
EAP
incidence
that
is
now
up
and
running
right.
C
C
Okay
and
you'll,
see
here
in
the
logs
okay
here
here
are
the
four
war
files
that
were
deployed
that
I
pulled
down
from
github
and
bill
right
so
and
as
also
as
part
of
this
deployment,
when
these
are
deployed,
it
also
modified
the
the
app
service
configuration
to
have
all
of
the
key
club,
whether
it
so
I,
DC
or
sam'l.
So
all
that's
automatically
configured
on
this,
and
also,
if
I
come
over,
come
back
over
to
the
Kiko
server
side.
C
You'll
now
see,
there's
four
new
clients,
so
this
new
client
config
for
the
four
different
applications
that
I've
got
here,
so
there's
really
kind
of
minimal
manual
configuration
you've
got
to
do
and
I
think
this
is
one
of
the
kind
of
the
powerful
pieces
of
oak.
But
what
OpenShift
and
the
images
are
going
to
provide
is
it's
really
all
you've
got
to
do.
Is
is
be
able
to
specify
this
when
you
deploy
a
particular
application
right.
C
You
say
your
application
is
a
key
cloak
or
a
key,
coax
sam'l
application
spin
up
your
template,
pass
it
in
a
little
bit
of
details
about
your
environment
and
and
you're
good
to
go,
and
then
all
the
configuration
happens
yourself
so
you're
not
messing
with
Excel.
You
don't
have
to
go
in
and
manually
create
all
this
stuff.
C
Okay.
So
what
does
this
actually
ultimately?
Look
like
at
the
end?
Let's
go.
Take
a
look
at
the
actual
application
I
come
over
to
here
and
take
a
look
at
the
routes.
Again.
I've
now
got
an
HTTP
and
HTTPS
route
for
accessing
the
actual
app.
So
if
I
go
take
a
look
at
here,
if
I
come
over
and
I
go
to
secure,
HelloWorld,
that's
just
as
the
one
as
any
so
I
go
hit.
C
So
this
is
an
application
that
is
actually
going
to
hit
the
web
services
application
on
the
backend
right.
So
if
you
remember,
I've
got
three
different
front-end
web
apps
and
then
one
back-end
app
that
just
exposes
some
web
services.
This
particular
front-end
application
is
going
and
hitting
those
three
different
web
services
that
you
can
see
and
that
are
configured
here
in
the
source.
C
So
there's
a
public
one,
that's
not
secured
a
secured
one
that
I
need
the
user
role
for
and
an
admin
one
that
I
need
to
add
or
so
I
can
go
and
hit
the
public
one
great
right,
I
haven't
done
any
login.
It's
a
that
web
service
is
exposed.
No
problem,
I
go
hit,
the
secured
one.
This
is
actually
secured.
I
don't
have
the
role
because
I
haven't
logged
into
the
SSO
server,
so
it
fails
now
if
I
go
hit.
C
The
login
button,
you'll
notice,
that
it
redirects
me
over
to
you
I'm
no
longer
at
my
application.
I
am
now
actually
talking
to
the
SSO
server.
So
now
I'm
going
to
log
in
as
the
end
user,
which
is
demo
user
demo
pass
again,
and
it
takes
me
back
to
the
app
now
you'll
notice,
a
couple
of
things.
One
I've
got
a
wideout
button
now,
because
I've
got
the
proper
credentials
to
get
to
the
app
I
can
also
go
and
take
a
look
at
the
account.
This
account
button
showed
up
if
I
go
hit
account.
C
C
I
can
still
have
public
I
now
have
the
user
role,
because
I'm
logged
in
as
demo
user,
who
has
I,
use
a
role
and
did
over
admin
right,
so
I
can
now
hitting
those
web
services
they're
secured,
so
hid
fog,
I'm
back
to
what
I
started.
Similarly,
these
same
kind
of
capabilities
exist
whether
it's
for
app.
This
is
a
no
YDC
app,
but
I
can
just
as
easily
go
out
profiles.
Sam'l,
the
same
kind
of
thing
log
in
is
demo
user.
C
And
there's
the
application
right
I
could
do
similar
things
if
I
hop
over
and
I
want
to
get,
maybe
not
the
sam'l
application,
but
the
OID
C
application,
I'm
already
logged
in
right
since
I
logged
into
the
sam'l
application.
Those
credentials
are
still
valid,
I'm
still
the
same
user
with
the
right
roles
and
now
I
can
go
and
take
a
look
at
this
particular
application.
C
So
that's
really
kind
of
a
nutshell.
What
I,
what
I
wanted
a
demo
I'll
take
a
look
and
see
if
there's
any
there's
any
kind
of
questions
what
I
want
to
do?
If
there
aren't
any
other
kind
of
questions
here,
what
I
can
do
is
I'm
gonna
go
delete
all
this
stuff
and
I
just
want
to
go.
Show
you
the
the
all-in-one
template,
because
I
think
it's
a
great
way
to
get
started.
Let
me
go
delete
all
this
stuff
that
I
just
created
I,
don't
love
the
beauty
of
pads
right,
easy
up,
easy
down.
C
C
C
So
what
this
is
I'm
now
firing
up
a
different
template,
and
this
template
is
is
just
as
the
name
says,
it's
an
all-in-one
right.
I
don't
have
to
do
with
any
of
the
kind
of
complicated
stuff
or
reasonably
complicated
stuff.
That's
up
here.
What
it's
going
to
do
is
it's
going
to
spin
up
the
SSO
seven
server
in
one
pot
or
container
it's
going
to
go
and
spin
up
a
separate
pot
or
container.
That's
got
an
EAP
instance
in
it.
C
C
You'll
go
spin
up
your
your
SSO
server
and
then,
as
application
teams
come
on
board,
they'll
go
spin
up
different
EAP
instances,
that'll
have
their
applications
deployed
and
tie
it
all
in
into
that,
so
that
SSO
server
or
maybe
different
SSO
servers
run
this
out
of
the
same
path.
But
this
is
a
really
kind
of
good
way
to
get
started.
Given
in
one
command,
you
can
spin
up
the
whole
thing
itself.
A
A
At
there
is
one
question
in
there:
Marcus
and
she's
mentioning
and
I
think
one
of
the
the
core
key
folks
Isis
is
trying
to
answer
it.
You
mentioned
that
the
users
are
are
in
key
cloak
for
the
demo,
but
what
does
a
production
deployment
look
like
and
where
are
the
news
used
to
post
org
and
Becky
is
boleslav
who's,
trying
to
answer
that
so
I'm
going
to
see
if
I
can
unmute
him
and
he's
on
you
both?
So,
if
you'd
like
to
answer
that.
E
Yeah
you
can
well
I.
Think
bill
was
mentioning
it
at
the
beginning
that
you
can
use
in
a
relational
database,
so
bilkins
I
guess
explain,
what's
supported
in
the
templates
but
like
Postgres
or
by
mysql,
and
then
you
can
obviously
connect
LDAP
servers
or
configure
it
with
Kerberos
for
authentication.
C
Yeah,
so
an
open
chip,
so
in
openshift
now
the
templates
and
the
image
of
support,
spinning
up
just
like
we
did
spinning
up
either
backed
by
Postgres
by
sequel
or
the
internal
EAP
h2
database.
But
there's
nothing
to
prevent
you
and
the
nice
thing
about
using
those
is
is
that
it
does
all
the
auto
wiring.
C
One
of
the
things
you
didn't
see
is
at
no
point,
even
though
the
SSO
server
is
being
backed
by
Postgres
instances
running
it
no
point,
did
you
ever
see
me
go
in
and
do
any
configuration
to
configure
the
SSO
server
to
tell
it
where
Postgres
was
right,
so
this
is
one
of
the
kind
of
really
cool
things
about
open
ships
and
paths.
Is
that
this
auto
wiring
all
happens
this
Auto
config?
C
Maybe
you've
got
you
know
some
huge
Oracle,
RAC
infrastructure,
that's
running
outside
of
the
paths
that
you
want
to
hook
your
SSO
server
into
you,
don't
maybe
want
the
database
running
inside
of
the
paths.
You've
already
got
all
that
Identity
Management,
you
know
user
user
management
running
somewhere
and
you
just
want
to
hook
your
SSO
server
into
it.
So
you
can
certainly
do
that,
but
the
the
at
least
today,
the
auto,
wiring
and
auto
magic
is
hooked
up
through
the
templates
and
stuff
through
for
those
three
databases.
I
mentioned.
A
Those
are
the
questions
everything
right
now
is
in
technical
preview
and
so
I'm
sure
both
LA
and
Bill
Burke,
and
keep
those
books
as
well
as
the
folks
that
have
built
these
images
and
holy
they're.
Definitely
looking
for
feedback
and
your
thoughts
on
them
and
other
adapters
that
could
be
written
for
key
cards
where's
the
best
way
for
people
to
reach
out
to
you
guys
and
give
you
feedback
on
this
I.
C
I
can
certainly
so
we've
got
a
couple
of
folks
from
from
my
team
I
believe
my
managers
on
Kevin
Connor
there's
a
lot
of
different
resources
that
you
can
do
to
get
to
to
get
to
the
engineering
teams
who
are
building
these
images
and
we've
also
got,
and
thanks
guys,
got
a
lot
of
the
folks
from
the
actual
the
key,
coax
team
on
as
well.
So
we've
got
kind
of
both
teams.
So
it's
the
team
that
takes.
C
A
The
the
one
last
question
that
I'm
seeing
here
yeah
you
could
even
send
an
email
that
be
Burke
and
I'll
post
that
with
the
register
on
the
mailing
list.
This
is
one
question
here:
that's
the
typical
one
that
everyone
always
asked
is
when
even
the
ballpark
date
could
be
expect
right
had
SSO
to
GA
and
be
available.
E
Quit
publicly
we
cannot
really
claim
an
AGA
date,
although
we
were
quite
open
in
the
community,
so
the
manual
is,
it
was
announced
at
one,
that's
nine,
that
ex
branch
is
being
polished
and
it
will
be
a
base
for
supported
product
offering
I.
Think
that
good
answer
is
right.
Now
it's
under
sooner
than
later,
we
will
have
a
supportive
product.
That's.
B
A
And
I
I
love
that
part
to
you,
because
almost
everything
is
is
driven
by
the
summit.
That's
the
great
motivator
to
get
things
done
and
out
there
there's
one
more
question
here:
can
you
about
authenticating
against
a
limb,
a
remove
samo
or
Oh
IDC
server
seen
lots
of
requests
to
do
something.
So
what
did
you
move
all
right?
Actually,
remote.
E
C
E
Yeah
so
here,
if
you
add,
with
a
provider
yeah,
you
can
add
either
sound
to
bias
or
phonetic
on
a
device
or
any
social
kind
of
provider,
and
then
you
can
authenticate
against
those
or
if
you
click
at
user,
Federation
and
then
add
provider
here
you
can
add
either
LDAP
or
Kerberos,
and
you
can
do
quite
powerful
configuration
sync
interruptions
and
mapping
what
it's
mapped
into
cue
cloak.
What
is
mapped
into
the
token
and
so
on.
A
Well
then,
I
think
that
might
be
all
the
questions
we
have
right
now.
So
that's
much
faster
demo
than
our
previous
one.
So
thank
you
very
much.
The
cost
for
taking
the
time
to
swap
laptops
and
for
GOG
knees
for
giving
us
an
intro
piece
is
there.
We
will
of
course,
do
any
Q&A
that
you
need
on
the
mailing
list
or
you
can
register
for
the
key
quote
mailing
list
as
well,
and
so
I
encourage
you
to
do
that
and
you'll
be
definitely
seeing
more
of
this
I'm
sure
at
Red
Hat
summit.
A
So
thank
you
to
all
the
core
key
code,
folks
that
have
come
on
for
this
and
we're
hoping
that
we
can
keep
demoing
this
and
maybe
show
it
with
a
few
adapters
in
the
not-too-distant
future
and
there's
one
other
announcement
we'll
be
starting
up
and
an
opening
shift.
Cominis
sig
for
image
builders,
starting
May,
4th
and
there's
new
on
the
interest
on
the
open
shift.
Commons
page
there
is
a
list
of
special
interest
groups
and
the
new
one.
A
This
week
is
image
builders
and,
if
you're
interested
in
creating
images
that
are
redistributable
and
ready
to
run
on
open
shift,
I
encourage
you
to
sign
up
for
that.
So
thanks
again
to
everybody
for
joining
us
and
we'll
be
posting,
this
recording,
probably
tomorrow
as
a
blog
post
with
some
of
these
links
that
we've
had
here
today.
So
thanks
again
and
we'll
talk
to
you
all
again,
very
very.