Nobody who is experienced on setting up the authentication flow in Keycloak?
On Wed, 6 Dec 2017, 12:03 Byte Flinger, <byteflinger(a)gmail.com> wrote:
I would like to setup Keycloak with integration towards a SAML Idp
but I
have run into a few things I am uncertain how to solve. One thing to keep a
note of is I would like to have the option of using local accounts for
certain users so when mentioned the details below I mean only for the users
who have linked their account through Idp.
1. Is there any way to only have "Verify existing account by
Re-authentication" without "Create User If Unique" in my flow? I want
only users with an existing account to be able to link and login through
the Idp but I do not want a new local account to be created if the Idp user
does not have one already. When I remove the "Create User If Unique" the
flow does not work and I immediately get a "username/password incorrect"
error when I try to login through the Idp
2. Once a user has logged in through the Idp and linked his account, is
there any way to completely disable the local account so the user has to
login through the Idp account (So removal of users on the Idp side, for
example, can be enforced)? If not, maybe some way to achieve the behaviour
by expiring the password for that specific user or something of the sort
3. The idea here is to try to take advantage of the Idp user account so
that if a user has been removed on the Idp side, he is no longer able to
login into keycloak with his local account. Any comments on how to best
achieve this (or best practices) would be welcome