One flow that I've considered would be:

1. Ask for email only
2. Lookup user, if user is found and has link to IdP redirect directly to IdP
3. Go through list of IdPs - each IdP would have a email domain associated with it. If one matches the provided email redirect to IdP
4. If neither 2 or 3 matches then display ask for password. As we know the user know we can also ask for OTP on the same page if user has OTP enabled

Is that a flow that would work for you?

On 21 October 2015 at 09:06, Jérôme Blanchard <jayblanc@gmail.com> wrote:
Hi Stian,

Thanks a lot for your precisions which will help me a lot. I have already develop a theme in an earlier version and I had completely forgot that it would do the trick, great idea.
I will also investigate the idea of implementing an authenticator in order to add a cookie remembering the last used IdP because I also need the classic login for some users.

Best Regards, Jérôme.

Le mer. 21 oct. 2015 à 08:34, Stian Thorgersen <sthorger@redhat.com> a écrit :
There's no limit with the buttons, although it would become unusable. You can change this by creating your own theme though and use a drop down or whatever you'd like.

Another idea is something we've discussed before which is to register certain email domains with a specific IdP. For example <user>@corp.com is automatically redirected to idp.corp.com. With the new authenticator SPI you could create this flow yourself and remove the password field from the initial screen.

You may end up wanting to implement an authenticator for this in either case so you can add a cookie to remember the last used IdP.

When you use identity brokering in Keycloak, Keycloak becomes the "Service Provider" in the external IdP, not the individual clients. So only the Keycloak server has to be registered with the external IdP.

On 20 October 2015 at 17:33, Jérôme Blanchard <jayblanc@gmail.com> wrote:
Hi all,

I'm trying to integrate keycloak in a federation of indentities (shibolleth) using the SAMLv2 Identity Provider. The problem is that the federation count something like 100 Identity Providers and I'm afraid of the L&F of the GUI as for now, adding 3 of them is creating a button for each. Is there is a limit or something that creates a drop down menu ? (like this list https://discovery.renater.fr/renater)
The goal for me is to create a kind of parser for this idps list :
http://federation.renater.fr/renater/idps-renater-metadata.xml
in order to parse this list and maintain my IDPs in keycloak up to date.

Another question is : is each client in keycloak has to be declared as a Service Provider or only the keycloak server ?

If you have any feedback for shibolleth federation integration using keycloak I'll be very glad to share them.

Thanks a lot, Best Regards, Jérôme.

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user