[keycloak-user] Entreprise IDP

Adrian Gonzalez adr_gonzalez at yahoo.fr
Thu Feb 1 17:02:48 EST 2018 

 Hello,
Little update:I configured the idp email domains in config.domainAliases attribute.I need to call the REST API ttp://localhost:8080/auth/admin/realms/realm1/identity-provider/instances/<idp> to set this value.
My code is a little quirky (my js code in login UI needs to retrieve the entreprise idp url from the link - which is ugly : I need to set Hide on Login Page = OFF to have the url available, but at the same time I need to hide the entreprise idp button.
I think I'll change the REST API to a custom Authenticator that will retrieve the Idp configuration (and its domainAliases), will compute the idpUrl (in a similar way to what is done in FreeMarkerLoginFormsProvider#prepareBaseUriBuilder) and make that available to the login.ftl.
This way I'll end up with :- custom authenticator- custom theme with a custom login.ftl page.
I'd have liked to add the domainAliases in Keycloak Admin UI, but I don't find a way.Also I'd have like to propagate the users email to the external idp (as pre-fill value) but don't find.
Cheers,Adrian
    Le jeudi 1 février 2018 à 19:23:16 UTC+1, Adrian Gonzalez <adr_gonzalez at yahoo.fr> a écrit :  
 
 Hello,
I'm using Social IDP in Keycloak, that's working awesome !
Now, I need to integrate more entreprise IDP, and show those IDP only to users in these entreprises.
 1. an entreprise IDP will need to be associated with a list of email domains.
    (entreprise IDP will be automatically used if the user email matches). 2. in the Login UI, only the links for social IDPs will be shown, the entreprise IDPs will be hidden. 3. if the user enters an email corresponding to one of the entreprise IDP:    * we hide the password field    * if the user clicks on submit, he's redirected to the entreprise idp. 4. as a bonus: if he's redirected to the entreprise IDP, I'd like to have the email/username field already pre-filled.
 I don't think a similar feature exist for the moment. If yes, please someone tell me :)
 What I did for the moment is :  - REST Service providing IDPs info to the front end (RealmResourceProviderFactory extension)  - I hacked the login page (custom theme) and added a js script that :    - calls the previous REST Service    - hides/shows the password label and field    - intercepts submit call and redirects to the entreprise idp
What I'm missing is : - is there a way to add custom information in an idp i.e. like isEntreprise boolean (how ?).    if not, I'd need to create an additional table and create a custom UI to handle that (a bit awkward :( ) - didn't pass the email to the external idp
Would someone have an idea of how to do this (if I could add this custom info in the idp it would be great !)Is there a better way to achieve that ? Or more generic ?
Thanks for the insights !Adrian 

N.B. some links around this subject (just as reference material)http://lists.jboss.org/pipermail/keycloak-dev/2014-November/003073.html (see 4 - Selecting provider)http://lists.jboss.org/pipermail/keycloak-user/2017-January/008965.htmlhttps://issues.jboss.org/browse/KEYCLOAK-1515

More information about the keycloak-user mailing list