[keycloak-user] IdP selection based on email address
Yann Jouanin
Yann.Jouanin at witbe.net
Sat Sep 8 06:51:07 EDT 2018
Following my previous messages, I managed to redirect to the right IdP base on the email address.
Does anyone have an idea of how can I force the redirector to pass a login_hint (assuming it is already configured in the idp configuration) ?
Best,
Yann
> Hello,
>
> Thanks for your reply.
> Indeed I managed to write the function attached in javascript and I was able
> to redirect to an IdP for specific domains.
>
> I have an additional question, I there a way to continue the flow (In my case I
> would like to optionaly prompt for OTP).
> My current flow is:
>
> "cookies"(alternative)
> " Choose User"(required)
> Script(select idp) (required) (the script redirect to idp for a domains,
> otherwise triggers context.success) Subflow forms(optional):
> - Username Password Form (required)
> OTP Form (optional).
>
> Did I misunderstood the flow usage? Now when a user is authenticated using
> my idp but has an OTP, the OTP is not prompted.
>
> Best regards ,
>
> Yann
>
> -------- FUNCTIONS ---------
>
>
> Authenticate function:
> function authenticate(context) {
>
> var username = user ? user.username : "anonymous";
> if (username.endsWith("mydomain.com")) {
> redirect_to_idp(context, "idpformydomain");
> return;
> }
> context.success();
> return;
> }
>
>
> Function:
>
>
> AuthenticationFlowError =
> Java.type("org.keycloak.authentication.AuthenticationFlowError");
> ClientSessionCode =
> Java.type("org.keycloak.services.managers.ClientSessionCode");
> Urls = Java.type("org.keycloak.services.Urls");
> OAuth2Constants = Java.type("org.keycloak.OAuth2Constants");
> Response = Java.type("javax.ws.rs.core.Response");
>
> /**
> * Redirect to Identification provider
> *
> * @param context {@see
> org.keycloak.authentication.AuthenticationFlowContext}
> * @param providerId : the alias of the provider to use */
>
> function redirect_to_idp(context, providerId) {
> var identityProviders = context.getRealm().getIdentityProviders();
> var identityProvidersLen = identityProviders.length;
> for (var i = 0; i < identityProvidersLen; i++) {
> identityProvider = identityProviders[i];
> if (identityProvider.isEnabled() &&
> providerId.equals(identityProvider.getAlias())) {
> var accessCode = new ClientSessionCode(context.getSession(),
> context.getRealm(),
> context.getAuthenticationSession()).getOrGenerateCode();
> var clientId =
> context.getAuthenticationSession().getClient().getClientId();
> var tabId = context.getAuthenticationSession().getTabId();
> var location =
> Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(),
> providerId, context.getRealm().getName(), accessCode, clientId, tabId);
> if
> (context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLA
> Y) != null)
> {
> location =
> UriBuilder.fromUri(location).queryParam(OAuth2Constants.DISPLAY,
> context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY
> )).build();
> }
> var response = Response.seeOther(location).build();
> LOG.info("Redirecting to %s" + providerId);
> context.forceChallenge(response);
> return;
> }
> }
> }
>
More information about the keycloak-user
mailing list