[keycloak-dev] Support for disabling account management for brokered identities
Marek Posolda
mposolda at redhat.com
Tue Sep 25 02:49:44 EDT 2018
+1
IMO this switch could be added to "CreateUserIfUnique" authenticator
used for the FirstBroker flow. That's the one, which is responsible for
creating new users.
Marek
On 24/09/18 20:30, Stian Thorgersen wrote:
> A switch to include default roles that is enabled by default would be
> better. That way you can choose to add all default roles or to not add them
> and manage roles in the IdP mappers instead.
>
> On Mon, 24 Sep 2018 at 11:31, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> Hello Keycloak Develops,
>>
>> users that are created via Identity Brokering seem to have the
>> account:manage-account role by default, due to the configured
>> default roles.
>>
>> Since those accounts are usually managed by the external IdP it could
>> make sense to disable access to the account app for those users.
>>
>> A simple way to do this is to remove the manage-account role for the
>> account
>> app from those users. It would be great if the IdP configuration would
>> support toggling account management access (on, off).
>>
>> A more generic way to do this would be to have support
>> for disabling the usage of default roles for user created by the IdP
>> whilst allowing explicit role configuration.
>>
>> Do you see any problems with this?
>>
>> Cheers,
>> Thomas
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list