Mixing IdP and Federated Authentication

Getting advice
, , , ,
1

Hello! I have a scenario where I am considering Keycloak and would appreciate some advice! I am very new to Keycloak, so please correct any of my assumptions or errors.

I have a few authentication sources:

  1. External SAML/Shibboleth IdP (I do not control but need to allow authentication with). Provides ePPN in the form of user@domain.tld. This authenticates users to web applications with this external provider. This provider already enforces 2FA.
  2. External Kerberos. This is used to allow external users to authenticate (SSH) on our machines (not web).
  3. Local LDAP/Kerberos. Thisis used to allow our users to authenticate (SSH) on our machines (not web). These usernames never conflict with the usernames of the external Kerberos provider.
  4. Local SAML/Shibboleth IdP. This is the piece that we can replace. We were using Shibboleth to match the external provider, but there is really no need to stick with Shibboleth.

We have these applications:

  1. Machine login (Kerberos) that require both Local and External accounts
  2. Web applications that require for Local and External Accounts
  3. Web applications that require only External Accounts

Implementation options:

  1. Option A: Web applications authenticate via SAML. Web applications are configured to directly authenticate with both the External Shibboleth and the Local Keycloak. Web applications provide the interface for selecting which authentication method should be used. The Local Keycloak is configured to pull users from Local LDAP/Kerberos and will add 2FA to them. Users of the Local LDAP/Kerberos will be able to manage their password and 2FA from Keyclock. Keycloak does not route or manage external users.
  2. Option B: Web applications authenticate via any method supported by Keycloak. Web applications only need to support one source of authentication (Keycloak). Keycloak allows for selection between the External SAML provider and the Local LDAP/Kerberos system. Keycloak will enforce 2FA on the Local LDAP/Kerberos but not the External SAML. Keycloak will allow for selecting which applications are permitted to use which of the two authentication services. Users of the Local LDAP/Kerberos will be able to manage their password and 2FA from Keycloak.
  3. Option C: Maybe something I did not think of!

Any tips, suggestions, or corrections are very helpful! Thank you!