[keycloak-user] Some questions about user authentication with external IDP

Mon Jan 2 09:38:17 EST 2017

We've been wanting to add something along those lines out of the box, but
haven't had the time to work on it. We didn't consider the addition of
asking users to create an account if the username was not there, but that
would be a nice option. We where also thinking about doing the redirect to
IdP based on email domain rather than a list of usernames. I.e. all @
mycorp.com gets redirected to sso.mycorp.com. Both options would be nice
though.

It's a fair bit of work though as we need to have an option on a realm to
have a "username first" option. Then it has impacts on the default
authentication flows as we may need to different flows out of the box.

You could consider contributing this or you could develop your own custom
authentication flow that does it for you exactly how you want it.

On 27 December 2016 at 21:05, Reed Lewis <RLewis at carbonite.com> wrote:

> We are planning on using Keycloak to authenticate users in our
> environment.   There will be multiple sources of user logins.
>
>
> 1.       Local to Keycloak
>
> 2.       Using a Federation provider to pull accounts from on a one time
> basis (The first time the user logs in they will authenticate using the p/w
> in the Federation server, and subsequent logins will occur entirely in
> Keycloak)
>
> 3.       Using a third party IDP (Like Microsoft/ Google/ etc.)   But the
> initial source of these accounts might be local in keycloak.
>
> I of course can do #1, and know how to do #2.    For #3 I have the
> external 3Rd party IDP working.
>
> But what we would like to have is this:
>
>
> 1.       A user goes to a form in which they enter the username only.
>
> 2.       If the user is new, it asks them to create an account
>
> 3.       If the user is new, but we know the login to be associated with a
> third party IDP, we go there, and link the account.
>
> 4.       If the user is not new, and if they are linked to third party
> IDP, it automatically loads that IDP page without having to pick that login.
>
> Here is the workflow we are thinking.
>
> An admin adds a list of accounts (either csv, or somehow else) into
> keycloak, but it says that all these accounts need to be authenticated by
> some third part IDP.   So when a user logs into Keycloak and enters their
> password, it automatically redirects the user to the 3rd part IDP and then
> associates the local keycloak login with the IDP without having to do too
> much.
>
> Does this make sense?
>
> Reed Lewis
>
> Disclaimer
>
> The information contained in this communication from the sender is
> confidential. It is intended solely for use by the recipient and others
> authorized to receive it. If you are not the recipient, you are hereby
> notified that any disclosure, copying, distribution or taking action in
> relation of the contents of this information is strictly prohibited and may
> be unlawful.
>
> This email has been scanned for viruses and malware, and may have been
> automatically archived by Mimecast Ltd, an innovator in Software as a
> Service (SaaS) for business. Providing a safer and more useful place for
> your human generated data. Specializing in; Security, archiving and
> compliance. To find out more visit the Mimecast website.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>