<div dir="ltr"><div><div><div>Actually, my internal keycloak users use only a login for authentication but I suppose it is possible to ask for the internal keycloak email first.<br></div>I think in my use case, a simple choice list for using a federation and the login/password on the left is great. Storing the latest used IdP in a cookie will increase the user experience for federated users.<br></div>Your flow is great also but in my case I don't know the proportion of internal users and federated users... so I think keeping a visible login/password box is not a big deal for now.<br></div>This system will be in production end of year so we'll have feedback at this time. We also have some existing users that will be migrated as internal user keycloak.<br></div><br><div class="gmail_quote"><div dir="ltr">Le mer. 21 oct. 2015 à 09:13, Stian Thorgersen <<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">One flow that I've considered would be:<div><br></div><div>1. Ask for email only</div><div>2. Lookup user, if user is found and has link to IdP redirect directly to IdP</div><div>3. Go through list of IdPs - each IdP would have a email domain associated with it. If one matches the provided email redirect to IdP</div><div>4. If neither 2 or 3 matches then display ask for password. As we know the user know we can also ask for OTP on the same page if user has OTP enabled</div><div><br></div><div>Is that a flow that would work for you?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 21 October 2015 at 09:06, Jérôme Blanchard <span dir="ltr"><<a href="mailto:jayblanc@gmail.com" target="_blank">jayblanc@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi Stian, <br><br></div>Thanks a lot for your precisions which will help me a lot. I have already develop a theme in an earlier version and I had completely forgot that it would do the trick, great idea.<br></div>I will also investigate the idea of implementing an authenticator in order to add a cookie remembering the last used IdP because I also need the classic login for some users.<br><br></div>Best Regards, Jérôme.<br></div><div><div><br><div class="gmail_quote"><div dir="ltr">Le mer. 21 oct. 2015 à 08:34, Stian Thorgersen <<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">There's no limit with the buttons, although it would become unusable. You can change this by creating your own theme though and use a drop down or whatever you'd like.<div><br></div><div>Another idea is something we've discussed before which is to register certain email domains with a specific IdP. For example <user>@<a href="http://corp.com" target="_blank">corp.com</a> is automatically redirected to <a href="http://idp.corp.com" target="_blank">idp.corp.com</a>. With the new authenticator SPI you could create this flow yourself and remove the password field from the initial screen.</div><div><br></div><div>You may end up wanting to implement an authenticator for this in either case so you can add a cookie to remember the last used IdP.</div><div><br></div><div>When you use identity brokering in Keycloak, Keycloak becomes the "Service Provider" in the external IdP, not the individual clients. So only the Keycloak server has to be registered with the external IdP.</div></div><div class="gmail_extra"><br><div class="gmail_quote"></div></div><div class="gmail_extra"><div class="gmail_quote">On 20 October 2015 at 17:33, Jérôme Blanchard <span dir="ltr"><<a href="mailto:jayblanc@gmail.com" target="_blank">jayblanc@gmail.com</a>></span> wrote:<br></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div>Hi all, <br><br></div>I'm trying to
integrate keycloak in a federation of indentities (shibolleth) using the
SAMLv2 Identity Provider. The problem is that the federation count
something like 100 Identity Providers and I'm afraid of the L&F of
the GUI as for now, adding 3 of them is creating a button for each. Is
there is a limit or something that creates a drop down menu ? (like this
list <a href="https://discovery.renater.fr/renater" target="_blank">https://discovery.renater.fr/renater</a>)<a href="https://discovery.renater.fr/renater/?entityID=https%3A%2F%2Fsaga.renater.fr%2F&return=https%3A%2F%2Fsaga.renater.fr%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26passwd%3DhT6oU5$.%21%26submit_saga%3DConnexion%26%26target%3Dss%253Amem%253Aa66aa537777acf60e05706949b588b203be0a12e" target="_blank"></a><br></div>The goal for me is to create a kind of parser for this idps list : <br><a href="http://federation.renater.fr/renater/idps-renater-metadata.xml" target="_blank">http://federation.renater.fr/renater/idps-renater-metadata.xml</a><br></div>in order to parse this list and maintain my IDPs in keycloak up to date.<br><br></div>Another question is : is each client in keycloak has to be declared as a Service Provider or only the keycloak server ?<br><br></div>If you have any feedback for shibolleth federation integration using keycloak I'll be very glad to share them.<br><br></div>Thanks a lot, Best Regards, Jérôme.</div>
<br></blockquote></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</blockquote></div>
</div></div></blockquote></div><br></div>
</blockquote></div>