As mentioned on Github, we are exploring a specific setup. In keycloak we create realms for various applications and usage. One of them is for a specific environment where we have “AD” users imported into keycloak and where we want to add “External” users to this specific realm, they are not in the AD.
We want to use our privacyidea otp backend, so that existing AD users do not require the usage of yet another token. the external users also need an otp login enabled, which then could either reside on the keycloak server itself, or because we use the privacyidea keycloak extension file (or want to use that basically ;-)) on the otp server (privacyidea).
In the future various applications will connect to the SSO environment, with different needs. Most often a set (complete or subset) of the AD needs to be imported into a group, or own realm, with potentially a wide range of external not ad-based users in it. They all need 2FA authentication as required by our policies. The above question is ideally re-usable between those specific requirements and realms (if at all possible).
I am all ears for suggestions and discussion on the topic, please let me know. I hope to be able to help my customer with that to the maximum future proof intend as possible.