Merger of PicketLink with Red Hat SSO (RH SSO, Keycloak)
Content from www.picketlink.org is not included.PicketLink is a security framework developed by the JBoss community. PicketLink Federation, supported in JBoss EAP and other products in the JBoss portfolio, enables customers to develop single sign-on (SSO) and identity/access management (IAM) capabilities in applications.
Over the years, we have received many requests from EAP customers for a more out-of-the-box approach toward IAM, which would reduce the cost of building and maintaining custom solutions. We have also observed strong demand for OAuth 2.0 and OpenID Connect, as end users access their services from a variety of mobile devices. To address these evolving requirements, we started the JBoss project Keycloak a couple of years ago.
During the last year, we have received a very positive response to Keycloak from early-adopters, including numerous enquiries on Red Hat’s plans to introduce Keycloak in a supported product. We have also received valuable feedback on enhancements needed to make Keycloak mature as an enterprise-ready IAM solution.
Recently, we announced in the JBoss Community Content from blog.keycloak.org is not included.the merger of PicketLink into Keycloak. The primary objective of this merger is to bring key, mature PicketLink features such as SAML 2.0 into Keycloak and consolidate our development effort into a single, out-of-the-box IAM solution for our customers. However, we are also aware that JBoss EAP customers will continue to need support for PicketLinkFederation for its existing feature-set, which might not be available immediately in Keycloak. We have prepared this FAQ to guide JBoss EAP customers on what to expect in the future, in this area of the product.
This document contains forward looking statements related to future product features and releases - all such features and dates are subject to change with little or no notice. This document is intended to inform customers using current products and does not constitute in any way a binding or legal agreement or impose any legal obligation or duty on Red Hat.
Frequently Asked Questions
Q1: Will PicketLink Federation continue to remain supported in the JBoss EAP 5.x and JBoss EAP 6.x stream?
A: Yes, PicketLink Federation will be supported in EAP 5.x and EAP 6.x streams, per the lifecycle defined in the Red Hat JBoss Middleware Product Update and Support Policy. However, we will designate the PicketLink feature-set as deprecated and not be enhancing PicketLink further. Existing or new RFEs will be considered for a new standalone IAM solution based on Keycloak.
Q2: Will PicketLink Federation be supported in JBoss EAP 7.0?
A: Yes, the same PicketLink Federation feature-set available in the last EAP 6.x minor release will also be made available and supported in EAP 7.0. We will continue to designate the PicketLink feature-set as deprecated and not be enhancing PicketLink further. Existing or new RFEs will be considered for a new standalone IAM solution based on Keycloak.
Q3: Will there be any loss of features from JBoss EAP 6.4 to JBoss EAP 7.0 ? Will there be any break of backward-compatibility?
A: There will be no loss of PicketLink Federation features going from EAP 6.4 to EAP 7.0. We will make commercially reasonable effort to maintain backward-compatibility of PicketLink Federation APIs with that of EAP 6.4. Any loss in backward-compatibility will likely be due to the major revision of JBoss EAP itself.
Q4: What are Red Hat’s plans, including time-frames, to release a supported IAM solution based on Keycloak?
A: We are planning to release version 1.0 of a standalone IAM Server based on Keycloak around the EAP 7.0 GA timeframe. The first version of this IAM solution is expected to include completely new features (example: OAuth 2.0 and OpenID Connect support) as well as selected high-priority features from PicketLink (example: SAML 2.0 support). As the EAP 7.x lifecycle progresses, we will continue to add new features to the IAM Server. We will provide more guidance on specific features and dates in coming months.
Q5: Will the new IAM Server have all the features of PicketLink?
A: The first GA version of the IAM Server will have selected high-priority features of PicketLink and additionally several new features that are unavailable in PicketLink. We will continue to add features to the IAM Server based on customer feedback and enhancement requests.
Q6: Will the new IAM Server be included in my current JBoss Middleware subscription?
A: The IAM Server, when GA, will be available as a separate download for all Red Hat JBoss Middleware products except JBoss Web Server and JBoss Developer Studio.
Q7: Is the standalone IAM Server intended as a replacement for PicketLink?
A: We expect that customers will adopt the efficient, out-of-the-box approach provided by a standalone server, and gradually move away from PicketLink. Longer-term, we are planning for the standalone IAM Server to replace PicketLink for all products in the Red Hat JBoss Middleware portfolio.