[keycloak-user] Brokered logins only?

Wed Jun 27 10:44:56 EDT 2018

Hi MJ,

I should mention that I don't work for Keycloak or Redhat... I'm just an end-user.

That said, no, I don't think your use case is all that unusual. IMO you should be able to do exactly what you want with KC, but not right OOTB. On the UI side, you'll have to modify the login page template to remove the KC username/pass inputs. And you'll also likely want to define some sort of a custom user storage provider that will not allow local KC logins, etc.

I know that sounds like a lot of effort, but it really shouldn't be too bad. The KC documentation and examples explain the user storage stuff pretty well, and what you'd actually need to implement to deny local logins should be simple. I recently implemented a custom user storage provider for KC, and was amazed at how easy the process was. I've not tried modifying any of the KC themes or forms yet, but I will get into that soon.

Good luck with your project!

Chris

________________________________
From: mj <lists at merit.unu.edu>
Sent: Wednesday, June 27, 2018 12:51:43 AM
To: Chris S. Dollar; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Brokered logins only?

Hi Chris,

Thanks for the suggestions. I guess those apply perfectly when using
only *one* brokered IdP.

What we're after: Creating a web-sso-solution for a global institute,
which is composed out of 3 (4, 5 in the future) independent
sub-institutes. Each has their own IdP (saml2 or oidc) setup.

We would like to allow these sub-institutes access to certain websites,
like a global common intranet, some financial system, etc.

We hope that keycloak could help us achieve that, as an identity broker
with all 3-5 sub-institutes added as brokered IdPs.

We would then configure that global intranet to authenticate to the
brokered keycloak realm, and voila: all sub-institutes can logon with
their own credentials.

AT least, that's what we hope it could do for us.

But the point is: we cannot configure kc_idp_hint, because we require
our users to choose their own sub-institute upon login.

So, we need the keycloak login form, with multiple brokered IdP's, and
we don't think we would *ever* need a username/password field on the
login form.

Is our use-case an unusual one..? As it seems so unlogical to us, to
present a username/password box by default, for a brokered realm
configuration.

MJ

On 06/26/2018 11:19 PM, Chris S. Dollar wrote:
> I'm doing some experimenting with using keycloak with an external IdP,
> and get results similar to yours:
>
> - with the external IdP configured, by default the user is presented
> with the normal KC login form, and to the right of that is a link that
> can be clicked to be taken to the IdP's login form.
>
> - if you add the 'kc_idp_hint' with the correct alias of your IdP then
> you can bypass the page with the KC login form and IdP link, and instead
> go straight to the IdP's form.
>
> But there's one more thing you can do. Go to the Authentication settings
> area for your realm, and choose the "Browser" flow. Under that you'll
> see the entry for "Identity Provider Redirector", and it will have an
> "Actions" menu with a "Config" option. Choose that, and set the default
> IdP value there to the alias you used when you defined the IdP, same as
> you use when setting the kc_idp_hint.
>
> After making that change I no longer see the KC login form, even without
> setting kc_idp_hint. I'm always redirected to the IdP login page, which
> sounds like the behavior you're after.
>
> Hope this helps!
> Chris
>