[keycloak-user] When using an IdentityBroker

Stian Thorgersen stian at redhat.com
Mon Jul 20 01:32:27 EDT 2015

----- Original Message -----
> From: "Ed Hillmann" <ed.hillmann at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 20 July, 2015 7:15:43 AM
> Subject: [keycloak-user] When using an IdentityBroker
> Hi, I'm going through the most recent doco, and I'm looking at the
> IdentityBroker section. So, having gone through the walkthrough, can someone
> tell me if I'm on the right track.
> So, step #8 states that "Keycloak is going to check if the response from the
> identity provider is valid. If valid, it will create an user or just skip
> that if the user already exists".
> Does that mean that KeyCloak will have a User, against which roles can be
> mapped? This will be a user that would be, for example, displayed in the
> admin console just like any locally-defined User?


> I'm trying to piece this all together, from where we can start assigning
> roles to these users whose authentication has been performed by an external
> IdentityProvider.
> Following on from that, the user would continue to authenticate against the
> Identity Provider? If they already exist, that's mentioned later on it the
> same text where the accounts are linked?

There's is no automatic linking of accounts. There's two scenarios basically:

* A user with same email address exists - in this case a error message is displayed to the user and user would have to login to account management and link to the identity provider from there
* The user has already logged-in with the identity provider - in this case a user is already linked to the identity provider and the user is logged-in

The same user can also authenticate with different methods. It's possible to login to the same account with username/password as well as multiple identity providers (linked through account management).

With regards to setting up roles these can either be added through admin console manually or added automatically either by using default roles or using mappers.

> If I've got this wrong, please let me know. :)
> Thanks for any help,
> Ed
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list