You will need auto-linking of IDP to internal account as well, so they won't
be asked for their password in order to approve linking their Keycloak
account to the IDP.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Marek Posolda
Sent: Monday, June 25, 2018 5:25 AM
To: Corbetta, Francesco <fco(a)iec.ch>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] brokered-login only
Yes, sure.
If you need to just override themes, you may not need to override
authentication flow. But if you need to override UsernamePassword
Authenticator and change the implementation, so that it doesn't allow to
login with username/password at all, then you will need to add this
authenticator implementation into new browser authentication flow. Maybe
instead of overriding UsernamePassword authenticator, it's easier to create
new implementation of authenticator, which will just show the Freemarker
form with links to brokers (No username/password). In that case you will
also need to create new authentication flow and add that new authenticator
implementation to it.
Marek
On 25/06/18 08:57, Corbetta, Francesco wrote:
Hello
What about changing the browser authentication flow?
Best
Francesco
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
<keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Marek Posolda
Sent: 25 June 2018 08:49
To: mj <lists(a)merit.unu.edu>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] brokered-login only
It's possible to remove username/password fields from login screen by
doing
custom theme and override freemarker template for login screen.
You may need to remove tab "password" from account management as well so
that users are not able to set their password here. This can be also
achieved through theme.
Thing is, that after changing themes, users will be still able to login
with their
username/passwords if they "simulate" sending the same HTTP
request, which login screen is sending (they can also simulate changing
their password in account management by HTTP request even if "password"
tab is not in the UI). So if you expect to have malicious users,
which
would try to do something like this and you want to be safe and avoid this,
you may need to change/override the UsernamePassword Authenticator too and
avoid authentication of users with username/password. Then login with
username/password will be impossible even if user is trying to "simulate"
the request like this.
Marek
On 24/06/18 14:30, mj wrote:
> Hi,
>
> Is there a way to create a realm in keycloak with a few brokered IdP's,
> *without* the local username/password fields on the login screen,
> but
> *only* a list of external IdP's to choose from?
>
> Thanks!
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user