[keycloak-user] Skip Broker First-Time Flow?

Marek Posolda mposolda at redhat.com
Fri Aug 25 09:29:29 EDT 2017


Yes.

Marek

On 25/08/17 15:08, Peter K. Boucher wrote:
> Not asking you to review/endorse this code, but does the approach seem reasonable?  https://github.com/ohioit/keycloak-link-idp-with-user
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Thursday, August 24, 2017 5:30 AM
> To: Phillip Fleischer <pcfleischer at outlook.com>; Peter K. Boucher <pkboucher801 at gmail.com>; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Skip Broker First-Time Flow?
>
> +1 to what Phillip mentioned.
>
> We were thinking for adding the authenticator OOTB, which will link
> accounts automatically. But didn't added in the end because of security.
> However you're not the first asking for it, so maybe it makes sense - as
> long as this authenticator won't be in the flow by default and admin
> would need to edit the first-broker-login flow on his own risk. Feel
> free to create JIRA (maybe it already exists, so you can add comment
> like "I want it too" and add vote :) )
>
> Marek
>
> On 24/08/17 10:38, Phillip Fleischer wrote:
>> Not sure of your appetite for customization but you can create a copy of the first login flow and remove or replace the execution steps you don't want.
>>
>> As far as how you'll create or link the account if none of the existing executions work, worst case you'd have to write your own.
>>
>> ________________________________
>> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Peter K. Boucher <pkboucher801 at gmail.com>
>> Sent: Wednesday, August 23, 2017 2:51:48 PM
>> To: keycloak-user at lists.jboss.org
>> Subject: [keycloak-user] Skip Broker First-Time Flow?
>>
>> We have a need to pre-provision user accounts that are to be accessed with
>> SAML from an outside IdP.  These accounts are only ever to be used via SAML
>> from this external IdP (i.e., we never want them to have to use a password
>> to verify anything to Keycloak.
>>
>>
>>
>> Is there any way for the account-linking the first time the user comes in
>> with SAML to happen automatically and silently?
>>
>>
>>
>> We understand that in some circumstances it would be a security hole to
>> allow someone to connect via a brokered IdP to an existing account that has
>> already been used, but these accounts are being created specifically to be
>> accessed by this particular broker.
>>
>>
>>
>> Any help?
>>
>>
>>
>> Thanks!
>>
>>
>>
>> Regards,
>>
>> Peter K. Boucher
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>



More information about the keycloak-user mailing list