I'm doing some experimenting with using keycloak with an external IdP, and get results
similar to yours:
- with the external IdP configured, by default the user is presented with the normal KC
login form, and to the right of that is a link that can be clicked to be taken to the
IdP's login form.
- if you add the 'kc_idp_hint' with the correct alias of your IdP then you can
bypass the page with the KC login form and IdP link, and instead go straight to the
IdP's form.
But there's one more thing you can do. Go to the Authentication settings area for your
realm, and choose the "Browser" flow. Under that you'll see the entry for
"Identity Provider Redirector", and it will have an "Actions" menu
with a "Config" option. Choose that, and set the default IdP value there to the
alias you used when you defined the IdP, same as you use when setting the kc_idp_hint.
After making that change I no longer see the KC login form, even without setting
kc_idp_hint. I'm always redirected to the IdP login page, which sounds like the
behavior you're after.
Hope this helps!
Chris
________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
on behalf of mj <lists(a)merit.unu.edu>
Sent: Sunday, June 24, 2018 11:17:38 AM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Brokered logins only?
Wow I just noticed your question, after I posted *exactly* the same
question.
I guess that means that I should also not expect a reply... :-)
MJ
On 06/23/2018 08:09 PM, pkboucher801(a)gmail.com wrote:
Am I asking on the wrong list?
Is this question uninteresting? Too easy? Too hard?
-----Original Message-----
From: pkboucher801(a)gmail.com [mailto:pkboucher801@gmail.com]
Sent: Monday, June 18, 2018 8:01 AM
To: keycloak-user(a)lists.jboss.org
Subject: Brokered logins only?
Any way (other than a custom theme that enforces it in the UI) to allow only
brokered logins to a realm?
For reasons beyond my control, the user's password is the same in the IDP as
it is in KC (they point at the same OU in LDAP), but the IDP has been
configured with a particular 2FA method that is not supported by KC. So the
problem is that if the users login with username/password submission on the
KC login page, they can bypass the IDP's 2FA.
We can set the IDP as the default, but kc_idp_hint as a blank value will
bring up the KC login page.
Maybe there's a way to adjust the flows so that brokered login works, but
username/password submission on the KC login page fails (or is not even
offered)?
Maybe setup pre-configured OTPs on the accounts, so that the users can't get
past there? (this would be a bad, confusing UX)
Any other ideas?
Regards,
Peter K. Boucher
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user