Hi Chris,
Thanks for the suggestions. I guess those apply perfectly when using
only *one* brokered IdP.
What we're after: Creating a web-sso-solution for a global institute,
which is composed out of 3 (4, 5 in the future) independent
sub-institutes. Each has their own IdP (saml2 or oidc) setup.
We would like to allow these sub-institutes access to certain websites,
like a global common intranet, some financial system, etc.
We hope that keycloak could help us achieve that, as an identity broker
with all 3-5 sub-institutes added as brokered IdPs.
We would then configure that global intranet to authenticate to the
brokered keycloak realm, and voila: all sub-institutes can logon with
their own credentials.
AT least, that's what we hope it could do for us.
But the point is: we cannot configure kc_idp_hint, because we require
our users to choose their own sub-institute upon login.
So, we need the keycloak login form, with multiple brokered IdP's, and
we don't think we would *ever* need a username/password field on the
login form.
Is our use-case an unusual one..? As it seems so unlogical to us, to
present a username/password box by default, for a brokered realm
configuration.
MJ
On 06/26/2018 11:19 PM, Chris S. Dollar wrote:
I'm doing some experimenting with using keycloak with an external
IdP,
and get results similar to yours:
- with the external IdP configured, by default the user is presented
with the normal KC login form, and to the right of that is a link that
can be clicked to be taken to the IdP's login form.
- if you add the 'kc_idp_hint' with the correct alias of your IdP then
you can bypass the page with the KC login form and IdP link, and instead
go straight to the IdP's form.
But there's one more thing you can do. Go to the Authentication settings
area for your realm, and choose the "Browser" flow. Under that you'll
see the entry for "Identity Provider Redirector", and it will have an
"Actions" menu with a "Config" option. Choose that, and set the
default
IdP value there to the alias you used when you defined the IdP, same as
you use when setting the kc_idp_hint.
After making that change I no longer see the KC login form, even without
setting kc_idp_hint. I'm always redirected to the IdP login page, which
sounds like the behavior you're after.
Hope this helps!
Chris