Am I asking on the wrong list? Is this question uninteresting? Too easy? Too hard? -----Original Message----- From: pkboucher801(a)gmail.com [mailto:pkboucher801@gmail.com] Sent: Monday, June 18, 2018 8:01 AM To: keycloak-user(a)lists.jboss.org Subject: Brokered logins only? Any way (other than a custom theme that enforces it in the UI) to allow only brokered logins to a realm? For reasons beyond my control, the user's password is the same in the IDP as it is in KC (they point at the same OU in LDAP), but the IDP has been configured with a particular 2FA method that is not supported by KC. So the problem is that if the users login with username/password submission on the KC login page, they can bypass the IDP's 2FA. We can set the IDP as the default, but kc_idp_hint as a blank value will bring up the KC login page. Maybe there's a way to adjust the flows so that brokered login works, but username/password submission on the KC login page fails (or is not even offered)? Maybe setup pre-configured OTPs on the accounts, so that the users can't get past there? (this would be a bad, confusing UX) Any other ideas? Regards, Peter K. Boucher

I'm doing some experimenting with using keycloak with an external IdP, and get results similar to yours: - with the external IdP configured, by default the user is presented with the normal KC login form, and to the right of that is a link that can be clicked to be taken to the IdP's login form. - if you add the 'kc_idp_hint' with the correct alias of your IdP then you can bypass the page with the KC login form and IdP link, and instead go straight to the IdP's form. But there's one more thing you can do. Go to the Authentication settings area for your realm, and choose the "Browser" flow. Under that you'll see the entry for "Identity Provider Redirector", and it will have an "Actions" menu with a "Config" option. Choose that, and set the default IdP value there to the alias you used when you defined the IdP, same as you use when setting the kc_idp_hint. After making that change I no longer see the KC login form, even without setting kc_idp_hint. I'm always redirected to the IdP login page, which sounds like the behavior you're after. Hope this helps! Chris ________________________________ From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; on behalf of mj <lists(a)merit.unu.edu&gt; Sent: Sunday, June 24, 2018 11:17:38 AM To: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Brokered logins only? Wow I just noticed your question, after I posted *exactly* the same question. I guess that means that I should also not expect a reply... :-) MJ On 06/23/2018 08:09 PM, pkboucher801(a)gmail.com wrote: _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi MJ, I should mention that I don't work for Keycloak or Redhat... I'm just an end-user. That said, no, I don't think your use case is all that unusual. IMO you should be able to do exactly what you want with KC, but not right OOTB. On the UI side, you'll have to modify the login page template to remove the KC username/pass inputs. And you'll also likely want to define some sort of a custom user storage provider that will not allow local KC logins, etc. I know that sounds like a lot of effort, but it really shouldn't be too bad. The KC documentation and examples explain the user storage stuff pretty well, and what you'd actually need to implement to deny local logins should be simple. I recently implemented a custom user storage provider for KC, and was amazed at how easy the process was. I've not tried modifying any of the KC themes or forms yet, but I will get into that soon. Good luck with your project! Chris ________________________________ From: mj <lists(a)merit.unu.edu&gt; Sent: Wednesday, June 27, 2018 12:51:43 AM To: Chris S. Dollar; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Brokered logins only? Hi Chris, Thanks for the suggestions. I guess those apply perfectly when using only *one* brokered IdP. What we're after: Creating a web-sso-solution for a global institute, which is composed out of 3 (4, 5 in the future) independent sub-institutes. Each has their own IdP (saml2 or oidc) setup. We would like to allow these sub-institutes access to certain websites, like a global common intranet, some financial system, etc. We hope that keycloak could help us achieve that, as an identity broker with all 3-5 sub-institutes added as brokered IdPs. We would then configure that global intranet to authenticate to the brokered keycloak realm, and voila: all sub-institutes can logon with their own credentials. AT least, that's what we hope it could do for us. But the point is: we cannot configure kc_idp_hint, because we require our users to choose their own sub-institute upon login. So, we need the keycloak login form, with multiple brokered IdP's, and we don't think we would *ever* need a username/password field on the login form. Is our use-case an unusual one..? As it seems so unlogical to us, to present a username/password box by default, for a brokered realm configuration. MJ On 06/26/2018 11:19 PM, Chris S. Dollar wrote: