[keycloak-dev] Support for disabling account management for brokered identities

Marek Posolda mposolda at redhat.com
Tue Sep 25 03:01:28 EDT 2018 

I don't have very strong preference, feel free to add to Idp if you 
thing it's better. But I am slightly more keen to have it rather on the 
authenticator. Logically it belongs here IMO as that makes sure to 
create new users.

If you really want to have different settings for different IdPs, you 
can create different "First Broker Login" flows for different brokers 
and configure them different way. Similarly like you can do today if you 
want "Facebook" users to immediately update their password after they're 
created, but "Other IDP" users to not require update password (As the 
switch for "Update Password After Import" is also defined on the 
Authenticator).

Marek

On 25/09/18 08:52, Stian Thorgersen wrote:
> I think it should rather be an option on the IdP itself as you may 
> want to have different settings for different IdPs. Adding it to the 
> first broker flow would be for all or nothing.
>
> On Tue, 25 Sep 2018 at 08:49, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     +1
>
>     IMO this switch could be added to "CreateUserIfUnique" authenticator
>     used for the FirstBroker flow. That's the one, which is
>     responsible for
>     creating new users.
>
>     Marek
>
>     On 24/09/18 20:30, Stian Thorgersen wrote:
>     > A switch to include default roles that is enabled by default
>     would be
>     > better. That way you can choose to add all default roles or to
>     not add them
>     > and manage roles in the IdP mappers instead.
>     >
>     > On Mon, 24 Sep 2018 at 11:31, Thomas Darimont <
>     > thomas.darimont at googlemail.com
>     <mailto:thomas.darimont at googlemail.com>> wrote:
>     >
>     >> Hello Keycloak Develops,
>     >>
>     >> users that are created via Identity Brokering seem to have the
>     >> account:manage-account role by default, due to the configured
>     >> default roles.
>     >>
>     >> Since those accounts are usually managed by the external IdP it
>     could
>     >> make sense to disable access to the account app for those users.
>     >>
>     >> A simple way to do this is to remove the manage-account role
>     for the
>     >> account
>     >> app from those users. It would be great if the IdP
>     configuration would
>     >> support toggling account management access (on, off).
>     >>
>     >> A more generic way to do this would be to have support
>     >> for disabling the usage of default roles for user created by
>     the IdP
>     >> whilst allowing explicit role configuration.
>     >>
>     >> Do you see any problems with this?
>     >>
>     >> Cheers,
>     >> Thomas
>     >> _______________________________________________
>     >> keycloak-dev mailing list
>     >> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     >>
>     > _______________________________________________
>     > keycloak-dev mailing list
>     > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

More information about the keycloak-dev mailing list