[keycloak-user] Support for automatic IdP selection

[Marcin Okraszewski]

 Hi,
I went through documentation and a bit of experiments, but I have a trouble
to figure out if my use case would be doable with Keycloak.

I need to authenticate some users with password, but some with external
SAML IdP. The decision whether to use IdP and which one, would need to be
based on the domain of the email address (email is a login). Is it possible
to select identity provider based on domain of user email address?

When user logs in with external SAML IdP, I would like to assign groups of
the user based on an SAML attribute value. Basically, this comes down to
allow a user to manage user-group assignment in their system, while
group-role would be within Keycloak. Is it supported by Keycloak?

We also use vanity domains to distinguish tenants (a user might have access
to multiple tenants). We have tens of thousands of tenants. Is it possible
to avoid registration of SP/client app for every single tenant (vanity
domain)? I’m not bound to any SSO protocol here. The OpenID Connect seems
to be closest, as it allows wildcards in path part of client URL, but
unfortunately not in domain part.

Thank you for help,
Marcin