[keycloak-user] IdP selection based on email address

Sat Sep 8 06:51:07 EDT 2018

Following my previous messages, I managed to redirect to the right IdP base on the email address.
Does anyone have an idea of how can I force the redirector to pass a login_hint (assuming it is already configured in the idp configuration) ?

Best,

Yann

> Hello,
> 
> Thanks for your reply.
> Indeed I managed to write the function attached in javascript and I was able
> to redirect to an IdP for specific domains.
> 
> I have an additional question, I there a way to continue the flow (In my case I
> would like to optionaly prompt for OTP).
> My current flow is:
> 
> "cookies"(alternative)
> " Choose User"(required)
> Script(select idp) (required) (the script redirect to idp for a domains,
> otherwise triggers context.success) Subflow forms(optional):
>  - Username Password Form (required)
> OTP Form (optional).
> 
> Did I misunderstood the flow usage? Now when a user is authenticated using
> my idp but has an OTP, the OTP is not prompted.
> 
> Best regards ,
> 
> Yann
> 
> -------- FUNCTIONS ---------
> 
> 
> Authenticate function:
> function authenticate(context) {
> 
>     var username = user ? user.username : "anonymous";
>     if (username.endsWith("mydomain.com")) {
>         redirect_to_idp(context, "idpformydomain");
>         return;
>     }
>     context.success();
>     return;
> }
> 
> 
> Function:
> 
> 
> AuthenticationFlowError =
> Java.type("org.keycloak.authentication.AuthenticationFlowError");
> ClientSessionCode =
> Java.type("org.keycloak.services.managers.ClientSessionCode");
> Urls = Java.type("org.keycloak.services.Urls");
> OAuth2Constants = Java.type("org.keycloak.OAuth2Constants");
> Response = Java.type("javax.ws.rs.core.Response");
> 
> /**
>  * Redirect to Identification provider
>  *
>  * @param context {@see
> org.keycloak.authentication.AuthenticationFlowContext}
>  * @param providerId : the alias of the provider to use  */
> 
> function redirect_to_idp(context, providerId) {
>     var identityProviders = context.getRealm().getIdentityProviders();
>     var identityProvidersLen = identityProviders.length;
>     for (var i = 0; i < identityProvidersLen; i++) {
>         identityProvider = identityProviders[i];
>         if (identityProvider.isEnabled() &&
> providerId.equals(identityProvider.getAlias())) {
>             var accessCode = new ClientSessionCode(context.getSession(),
> context.getRealm(),
> context.getAuthenticationSession()).getOrGenerateCode();
>             var clientId =
> context.getAuthenticationSession().getClient().getClientId();
>             var tabId = context.getAuthenticationSession().getTabId();
>             var location =
> Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(),
> providerId, context.getRealm().getName(), accessCode, clientId, tabId);
>             if
> (context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLA
> Y) != null)
>             {
>                 location =
> UriBuilder.fromUri(location).queryParam(OAuth2Constants.DISPLAY,
> context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY
> )).build();
>             }
>             var response = Response.seeOther(location).build();
>             LOG.info("Redirecting to %s" + providerId);
>             context.forceChallenge(response);
>             return;
>         }
>     }
> }
> 