4:17 a.m.
DIdn't think about having different flows for different IdPs. That's a
better option, so +1 to making it an option in the flow rather than IdPs
directly.
On Tue, 25 Sep 2018 at 09:01, Marek Posolda <mposolda(a)redhat.com> wrote:
I don't have very strong preference, feel free to add to Idp if
you thing
it's better. But I am slightly more keen to have it rather on the
authenticator. Logically it belongs here IMO as that makes sure to create
new users.
If you really want to have different settings for different IdPs, you can
create different "First Broker Login" flows for different brokers and
configure them different way. Similarly like you can do today if you want
"Facebook" users to immediately update their password after they're
created, but "Other IDP" users to not require update password (As the
switch for "Update Password After Import" is also defined on the
Authenticator).
Marek
On 25/09/18 08:52, Stian Thorgersen wrote:
I think it should rather be an option on the IdP itself as you may want to
have different settings for different IdPs. Adding it to the first broker
flow would be for all or nothing.
On Tue, 25 Sep 2018 at 08:49, Marek Posolda <mposolda(a)redhat.com> wrote:
> +1
>
> IMO this switch could be added to "CreateUserIfUnique" authenticator
> used for the FirstBroker flow. That's the one, which is responsible for
> creating new users.
>
> Marek
>
> On 24/09/18 20:30, Stian Thorgersen wrote:
> > A switch to include default roles that is enabled by default would be
> > better. That way you can choose to add all default roles or to not add
> them
> > and manage roles in the IdP mappers instead.
> >
> > On Mon, 24 Sep 2018 at 11:31, Thomas Darimont <
> > thomas.darimont(a)googlemail.com> wrote:
> >
> >> Hello Keycloak Develops,
> >>
> >> users that are created via Identity Brokering seem to have the
> >> account:manage-account role by default, due to the configured
> >> default roles.
> >>
> >> Since those accounts are usually managed by the external IdP it could
> >> make sense to disable access to the account app for those users.
> >>
> >> A simple way to do this is to remove the manage-account role for the
> >> account
> >> app from those users. It would be great if the IdP configuration would
> >> support toggling account management access (on, off).
> >>
> >> A more generic way to do this would be to have support
> >> for disabling the usage of default roles for user created by the IdP
> >> whilst allowing explicit role configuration.
> >>
> >> Do you see any problems with this?
> >>
> >> Cheers,
> >> Thomas
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>