[keycloak-dev] Support for disabling account management for brokered identities
Stian Thorgersen
sthorger at redhat.com
Tue Sep 25 02:52:30 EDT 2018
I think it should rather be an option on the IdP itself as you may want to
have different settings for different IdPs. Adding it to the first broker
flow would be for all or nothing.
On Tue, 25 Sep 2018 at 08:49, Marek Posolda <mposolda at redhat.com> wrote:
> +1
>
> IMO this switch could be added to "CreateUserIfUnique" authenticator
> used for the FirstBroker flow. That's the one, which is responsible for
> creating new users.
>
> Marek
>
> On 24/09/18 20:30, Stian Thorgersen wrote:
> > A switch to include default roles that is enabled by default would be
> > better. That way you can choose to add all default roles or to not add
> them
> > and manage roles in the IdP mappers instead.
> >
> > On Mon, 24 Sep 2018 at 11:31, Thomas Darimont <
> > thomas.darimont at googlemail.com> wrote:
> >
> >> Hello Keycloak Develops,
> >>
> >> users that are created via Identity Brokering seem to have the
> >> account:manage-account role by default, due to the configured
> >> default roles.
> >>
> >> Since those accounts are usually managed by the external IdP it could
> >> make sense to disable access to the account app for those users.
> >>
> >> A simple way to do this is to remove the manage-account role for the
> >> account
> >> app from those users. It would be great if the IdP configuration would
> >> support toggling account management access (on, off).
> >>
> >> A more generic way to do this would be to have support
> >> for disabling the usage of default roles for user created by the IdP
> >> whilst allowing explicit role configuration.
> >>
> >> Do you see any problems with this?
> >>
> >> Cheers,
> >> Thomas
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
More information about the keycloak-dev
mailing list