- If you want to skip just Keycloak login page, then you can possibly set the "Authenticate by default" in the Keycloak admin console on the OpenAM identity provider screen. This means that Keycloak won't try to show the login screen, but immediatelly redirect to OpenAM login screen. However in case that you're not yet logged to OpenAM, you will still see the OpenAM login screen. So this is likely not sufficient for you?

-Option 2) Probably better for non-browser usecase, but more complex. Keycloak has support for "direct access grants" aka. OAuth2 "Resource Owner password credentials grant". See the OAuth2 specs for details.
So you can implement your own Authenticator, which will re-send the provided username+password to OpenAM and then if it success, the Authenticator itself will create user to KEycloak DB (if doesn't yet exists). You will need to create new Authentication flow and put your Authenticator here and configure as "Direct Grant" authenticator in Keycloak admin console. See Authentication SPI docs for more details.

This is possible just if OpenAM itself also has support for "Resource owner password credentials grant" or something like that, which will allow to send just REST request for validate username+password .

Maybe we should support this OOTB as it looks there are more people asking for it...

Marek

On 09/08/16 22:25, Abelardo Vacca wrote: