Wow I just noticed your question, after I posted *exactly* the same
question.
I guess that means that I should also not expect a reply... :-)
MJ
On 06/23/2018 08:09 PM, pkboucher801(a)gmail.com wrote:
Am I asking on the wrong list?
Is this question uninteresting? Too easy? Too hard?
-----Original Message-----
From: pkboucher801(a)gmail.com [mailto:pkboucher801@gmail.com]
Sent: Monday, June 18, 2018 8:01 AM
To: keycloak-user(a)lists.jboss.org
Subject: Brokered logins only?
Any way (other than a custom theme that enforces it in the UI) to allow only
brokered logins to a realm?
For reasons beyond my control, the user's password is the same in the IDP as
it is in KC (they point at the same OU in LDAP), but the IDP has been
configured with a particular 2FA method that is not supported by KC. So the
problem is that if the users login with username/password submission on the
KC login page, they can bypass the IDP's 2FA.
We can set the IDP as the default, but kc_idp_hint as a blank value will
bring up the KC login page.
Maybe there's a way to adjust the flows so that brokered login works, but
username/password submission on the KC login page fails (or is not even
offered)?
Maybe setup pre-configured OTPs on the accounts, so that the users can't get
past there? (this would be a bad, confusing UX)
Any other ideas?
Regards,
Peter K. Boucher
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user