2:01 a.m.
I don't have very strong preference, feel free to add to Idp if you
thing it's better. But I am slightly more keen to have it rather on the
authenticator. Logically it belongs here IMO as that makes sure to
create new users.
If you really want to have different settings for different IdPs, you
can create different "First Broker Login" flows for different brokers
and configure them different way. Similarly like you can do today if you
want "Facebook" users to immediately update their password after they're
created, but "Other IDP" users to not require update password (As the
switch for "Update Password After Import" is also defined on the
Authenticator).
Marek
On 25/09/18 08:52, Stian Thorgersen wrote:
I think it should rather be an option on the IdP itself as you may
want to have different settings for different IdPs. Adding it to the
first broker flow would be for all or nothing.
On Tue, 25 Sep 2018 at 08:49, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
+1
IMO this switch could be added to "CreateUserIfUnique" authenticator
used for the FirstBroker flow. That's the one, which is
responsible for
creating new users.
Marek
On 24/09/18 20:30, Stian Thorgersen wrote:
> A switch to include default roles that is enabled by default
would be
> better. That way you can choose to add all default roles or to
not add them
> and manage roles in the IdP mappers instead.
>
> On Mon, 24 Sep 2018 at 11:31, Thomas Darimont <
> thomas.darimont(a)googlemail.com
<mailto:thomas.darimont@googlemail.com>> wrote:
>
>> Hello Keycloak Develops,
>>
>> users that are created via Identity Brokering seem to have the
>> account:manage-account role by default, due to the configured
>> default roles.
>>
>> Since those accounts are usually managed by the external IdP it
could
>> make sense to disable access to the account app for those users.
>>
>> A simple way to do this is to remove the manage-account role
for the
>> account
>> app from those users. It would be great if the IdP
configuration would
>> support toggling account management access (on, off).
>>
>> A more generic way to do this would be to have support
>> for disabling the usage of default roles for user created by
the IdP
>> whilst allowing explicit role configuration.
>>
>> Do you see any problems with this?
>>
>> Cheers,
>> Thomas
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev