[keycloak-dev] Support for disabling account management for brokered identities
Stian Thorgersen
sthorger at redhat.com
Wed Sep 26 05:17:24 EDT 2018
DIdn't think about having different flows for different IdPs. That's a
better option, so +1 to making it an option in the flow rather than IdPs
directly.
On Tue, 25 Sep 2018 at 09:01, Marek Posolda <mposolda at redhat.com> wrote:
> I don't have very strong preference, feel free to add to Idp if you thing
> it's better. But I am slightly more keen to have it rather on the
> authenticator. Logically it belongs here IMO as that makes sure to create
> new users.
>
> If you really want to have different settings for different IdPs, you can
> create different "First Broker Login" flows for different brokers and
> configure them different way. Similarly like you can do today if you want
> "Facebook" users to immediately update their password after they're
> created, but "Other IDP" users to not require update password (As the
> switch for "Update Password After Import" is also defined on the
> Authenticator).
>
> Marek
>
> On 25/09/18 08:52, Stian Thorgersen wrote:
>
> I think it should rather be an option on the IdP itself as you may want to
> have different settings for different IdPs. Adding it to the first broker
> flow would be for all or nothing.
>
> On Tue, 25 Sep 2018 at 08:49, Marek Posolda <mposolda at redhat.com> wrote:
>
>> +1
>>
>> IMO this switch could be added to "CreateUserIfUnique" authenticator
>> used for the FirstBroker flow. That's the one, which is responsible for
>> creating new users.
>>
>> Marek
>>
>> On 24/09/18 20:30, Stian Thorgersen wrote:
>> > A switch to include default roles that is enabled by default would be
>> > better. That way you can choose to add all default roles or to not add
>> them
>> > and manage roles in the IdP mappers instead.
>> >
>> > On Mon, 24 Sep 2018 at 11:31, Thomas Darimont <
>> > thomas.darimont at googlemail.com> wrote:
>> >
>> >> Hello Keycloak Develops,
>> >>
>> >> users that are created via Identity Brokering seem to have the
>> >> account:manage-account role by default, due to the configured
>> >> default roles.
>> >>
>> >> Since those accounts are usually managed by the external IdP it could
>> >> make sense to disable access to the account app for those users.
>> >>
>> >> A simple way to do this is to remove the manage-account role for the
>> >> account
>> >> app from those users. It would be great if the IdP configuration would
>> >> support toggling account management access (on, off).
>> >>
>> >> A more generic way to do this would be to have support
>> >> for disabling the usage of default roles for user created by the IdP
>> >> whilst allowing explicit role configuration.
>> >>
>> >> Do you see any problems with this?
>> >>
>> >> Cheers,
>> >> Thomas
>> >> _______________________________________________
>> >> keycloak-dev mailing list
>> >> keycloak-dev at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
>
More information about the keycloak-dev
mailing list