[keycloak-user] Brokered logins only?

Chris S. Dollar CDollar at rydin.com
Tue Jun 26 17:19:32 EDT 2018 

I'm doing some experimenting with using keycloak with an external IdP, and get results similar to yours:

- with the external IdP configured, by default the user is presented with the normal KC login form, and to the right of that is a link that can be clicked to be taken to the IdP's login form.

- if you add the 'kc_idp_hint' with the correct alias of your IdP then you can bypass the page with the KC login form and IdP link, and instead go straight to the IdP's form.

But there's one more thing you can do. Go to the Authentication settings area for your realm, and choose the "Browser" flow. Under that you'll see the entry for "Identity Provider Redirector", and it will have an "Actions" menu with a "Config" option. Choose that, and set the default IdP value there to the alias you used when you defined the IdP, same as you use when setting the kc_idp_hint.

After making that change I no longer see the KC login form, even without setting kc_idp_hint. I'm always redirected to the IdP login page, which sounds like the behavior you're after.

Hope this helps!
Chris


________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of mj <lists at merit.unu.edu>
Sent: Sunday, June 24, 2018 11:17:38 AM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Brokered logins only?

Wow I just noticed your question, after I posted *exactly* the same
question.

I guess that means that I should also not expect a reply... :-)

MJ

On 06/23/2018 08:09 PM, pkboucher801 at gmail.com wrote:
> Am I asking on the wrong list?
>
> Is this question uninteresting?  Too easy?  Too hard?
>
> -----Original Message-----
> From: pkboucher801 at gmail.com [mailto:pkboucher801 at gmail.com]
> Sent: Monday, June 18, 2018 8:01 AM
> To: keycloak-user at lists.jboss.org
> Subject: Brokered logins only?
>
> Any way (other than a custom theme that enforces it in the UI) to allow only
> brokered logins to a realm?
>
> For reasons beyond my control, the user's password is the same in the IDP as
> it is in KC (they point at the same OU in LDAP), but the IDP has been
> configured with a particular 2FA method that is not supported by KC. So the
> problem is that if the users login with username/password submission on the
> KC login page, they can bypass the IDP's 2FA.
>
> We can set the IDP as the default, but kc_idp_hint as a blank value will
> bring up the KC login page.
>
> Maybe there's a way to adjust the flows so that brokered login works, but
> username/password submission on the KC login page fails (or is not even
> offered)?
>
> Maybe setup pre-configured OTPs on the accounts, so that the users can't get
> past there? (this would be a bad, confusing UX)
>
> Any other ideas?
>
> Regards,
> Peter K. Boucher
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list