Hello,
We are using ABP 8.2.1 currently but if necessary we can upgrade to 9.
We have two topics:
We are developing different applications using ABP. We do not want to have separate user and permission management for each application. Instead, we want all applications to communicate with a central identity management system. In other words, whether logging into Application A or Application B, we want to redirect users to the same central login application (we will send the application client information within the URL). After successful authentication, we want roles and permissions to be included in the token and redirect back to the application.
Is this possible with the AbpAccountPro module?
If it is possible, we assume that the user and role tables will exist only in the central application, and the client applications will not need these tables. Is that correct?
The applications we develop are used by different enterprise customers. Some of these customers want to handle the authentication part within their own systems (e.g., Keycloak or Azure MFA). In this scenario, only the authentication will be handled via Keycloak, but all other processes such as roles and permissions will continue to be managed on our side.
Is it possible to achieve this?
When the login screen is opened, can we directly redirect to the Keycloak (external provider) login screen? We don’t want users to have to click a "Login with Keycloak" button again when the login page opens.
1 Answer(s)
-
0
Hi, here are the brief answers to your questions:
Q1: Is it possible to have a centralized identity management with AbpAccountPro module?
Yes, it is absolutely possible to achieve a centralized identity management system using the AbpAccountPro module.
Q2: If it is possible, we assume that the user and role tables will exist only in the central application, and the client applications will not need these tables. Is that correct?
Yes, this is correct. In this setup, the
AbpUsersandAbpRolestables (and other related tables) will primarily reside in the database of your central identity management application. The client applications will not need these tables.Q3: Integration options with External Authentication Providers (Keycloak/Azure MFA)?
Yes, it is definitely possible to integrate with external authentication providers like Keycloak or Azure MFA. Here are some resources that may help you:
Q4: When the login screen is opened, can we directly redirect to the Keycloak (external provider) login screen? We don’t want users to have to click a "Login with Keycloak" button again when the login page opens.
You can directly redirect users to Keycloak (or any other external provider). You need to create a "realm" in the Keycloak dashboard, get the related URL and update the Authority section in appsetting.json file for example. (should configure oidc scheme like you would do in a normal .net application - there is no difference -).
Regards.
