I am trying to implement the following scenario with KC. We have two
applications, SP1 and SP2, that use KC. KC has identity broker pointing to
external IDP. Desired scenario:
1. User agent goes to SP1, he's being redirected to KC and then to extIDP
2. User authenticated in extIDP, and being redirected to KC and then to SP1
with some attributes from extIDP
3. SP1 creates user entity in SP2 basing on attributes from extIDP and
attributes collected by SP1
4. User entity in SP2 is synced to user federation store used by KC.
5. User should be able to SSO to SP2. Session in SP2 should obtain
attributes set by SP1.
The problem is 2 different user entities (instances of UserModel) created
at KC at step #2 and #4. I plan to drop 1st entity, and set identity
federation with extIDP for 2nd entity. But we also need to change user
session in KC, it should contain 2nd user entity data. Otherwise SSO to SP2
Surprisingly, I've found a
method org.keycloak.models.UserSessionModel#restartSession that looks like
does the job. I plan to add custom Authenticator and call session reset
How do you think, will it work?