[keycloak-user] Skip Broker First-Time Flow?
Peter K. Boucher
pkboucher801 at gmail.com
Fri Aug 25 09:08:43 EDT 2017
Not asking you to review/endorse this code, but does the approach seem reasonable? https://github.com/ohioit/keycloak-link-idp-with-user
-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Thursday, August 24, 2017 5:30 AM
To: Phillip Fleischer <pcfleischer at outlook.com>; Peter K. Boucher <pkboucher801 at gmail.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Skip Broker First-Time Flow?
+1 to what Phillip mentioned.
We were thinking for adding the authenticator OOTB, which will link
accounts automatically. But didn't added in the end because of security.
However you're not the first asking for it, so maybe it makes sense - as
long as this authenticator won't be in the flow by default and admin
would need to edit the first-broker-login flow on his own risk. Feel
free to create JIRA (maybe it already exists, so you can add comment
like "I want it too" and add vote :) )
Marek
On 24/08/17 10:38, Phillip Fleischer wrote:
> Not sure of your appetite for customization but you can create a copy of the first login flow and remove or replace the execution steps you don't want.
>
> As far as how you'll create or link the account if none of the existing executions work, worst case you'd have to write your own.
>
> ________________________________
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Peter K. Boucher <pkboucher801 at gmail.com>
> Sent: Wednesday, August 23, 2017 2:51:48 PM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Skip Broker First-Time Flow?
>
> We have a need to pre-provision user accounts that are to be accessed with
> SAML from an outside IdP. These accounts are only ever to be used via SAML
> from this external IdP (i.e., we never want them to have to use a password
> to verify anything to Keycloak.
>
>
>
> Is there any way for the account-linking the first time the user comes in
> with SAML to happen automatically and silently?
>
>
>
> We understand that in some circumstances it would be a security hole to
> allow someone to connect via a brokered IdP to an existing account that has
> already been used, but these accounts are being created specifically to be
> accessed by this particular broker.
>
>
>
> Any help?
>
>
>
> Thanks!
>
>
>
> Regards,
>
> Peter K. Boucher
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list