[keycloak-user] Force certain realm users to login via IDP
Tim Hedlund
tim.hedlund at outlook.com
Fri Feb 1 10:01:01 EST 2019
Hi Dmitry,
I like your alternative solution. I will have a go with that.
Thank you very much! I appreciate it.
Regards
Tim
-----Original Message-----
From: Dmitry Telegin [mailto:dt at acutus.pro]
Sent: den 1 februari 2019 13:00
To: Tim Hedlund; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Force certain realm users to login via IDP
Hello Tim,
I think your solution is viable. In your script authenticator, you can use authenticationSession.getExecutionStatus() to determine which auth method has been actually used.
Alternatively, I'd suggest something similar to the built-in identity-provider-redirector [1], but with the different condition to trigger redirect (e.g. admin role membership instead of kc_idp_hint presence). However, this would be harder to implement in JavaScript.
[1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.java
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Thu, 2019-01-31 at 13:49 +0000, Tim Hedlund wrote:
> We are looking into using IDP (Azure AD) for login. Some users (admins) will then authenticate there. The need for this is that Keycloak admins (user management in certain realm) will need to authenticate via two factor because of company policies. So I've already setup a working integration with AD. The problem now is that pre-existing users that already had a login and password in Keycloak must no longer be able to use login/password. This is to force IDP (two factor) login.
>
> I've tried to "Disable Credentials" for "password" for such a user but still he could login.
>
> I'm thinking of a solution where we script a custom browser flow action where we check is the user is a admin and then denies him if using password.
>
> Any thoughts or suggestions?
>
> Regards
> Tim
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list