[keycloak-user] Brokered logins only?

mj lists at merit.unu.edu
Wed Jun 27 02:51:43 EDT 2018 

Hi Chris,

Thanks for the suggestions. I guess those apply perfectly when using 
only *one* brokered IdP.

What we're after: Creating a web-sso-solution for a global institute, 
which is composed out of 3 (4, 5 in the future) independent 
sub-institutes. Each has their own IdP (saml2 or oidc) setup.

We would like to allow these sub-institutes access to certain websites, 
like a global common intranet, some financial system, etc.

We hope that keycloak could help us achieve that, as an identity broker 
with all 3-5 sub-institutes added as brokered IdPs.

We would then configure that global intranet to authenticate to the 
brokered keycloak realm, and voila: all sub-institutes can logon with 
their own credentials.

AT least, that's what we hope it could do for us.

But the point is: we cannot configure kc_idp_hint, because we require 
our users to choose their own sub-institute upon login.

So, we need the keycloak login form, with multiple brokered IdP's, and 
we don't think we would *ever* need a username/password field on the 
login form.

Is our use-case an unusual one..? As it seems so unlogical to us, to 
present a username/password box by default, for a brokered realm 
configuration.

MJ

On 06/26/2018 11:19 PM, Chris S. Dollar wrote:
> I'm doing some experimenting with using keycloak with an external IdP, 
> and get results similar to yours:
> 
> - with the external IdP configured, by default the user is presented 
> with the normal KC login form, and to the right of that is a link that 
> can be clicked to be taken to the IdP's login form.
> 
> - if you add the 'kc_idp_hint' with the correct alias of your IdP then 
> you can bypass the page with the KC login form and IdP link, and instead 
> go straight to the IdP's form.
> 
> But there's one more thing you can do. Go to the Authentication settings 
> area for your realm, and choose the "Browser" flow. Under that you'll 
> see the entry for "Identity Provider Redirector", and it will have an 
> "Actions" menu with a "Config" option. Choose that, and set the default 
> IdP value there to the alias you used when you defined the IdP, same as 
> you use when setting the kc_idp_hint.
> 
> After making that change I no longer see the KC login form, even without 
> setting kc_idp_hint. I'm always redirected to the IdP login page, which 
> sounds like the behavior you're after.
> 
> Hope this helps!
> Chris
>

More information about the keycloak-user mailing list