[keycloak-user] Skip Broker First-Time Flow?

Peter K. Boucher pkboucher801 at gmail.com
Wed Aug 30 09:43:23 EDT 2017


I also voted for https://issues.jboss.org/browse/KEYCLOAK-4240?_sscc=t 

-----Original Message-----
From: Adam Keily [mailto:adam.keily at adelaide.edu.au] 
Sent: Wednesday, August 30, 2017 12:27 AM
To: Marek Posolda <mposolda at redhat.com>; Peter K. Boucher
<pkboucher801 at gmail.com>; 'Phillip Fleischer' <pcfleischer at outlook.com>;
keycloak-user at lists.jboss.org
Subject: RE: [keycloak-user] Skip Broker First-Time Flow?

Check out. https://github.com/ohioit/keycloak-link-idp-with-user

We use it to silently link users coming from another corporate IDP with our
federated LDAP accounts.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org
[mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
Sent: Friday, 25 August 2017 10:59 PM
To: Peter K. Boucher <pkboucher801 at gmail.com>; 'Phillip Fleischer'
<pcfleischer at outlook.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Skip Broker First-Time Flow?

Yes.

Marek

On 25/08/17 15:08, Peter K. Boucher wrote:
> Not asking you to review/endorse this code, but does the approach seem
> reasonable?  https://github.com/ohioit/keycloak-link-idp-with-user
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Thursday, August 24, 2017 5:30 AM
> To: Phillip Fleischer <pcfleischer at outlook.com>; Peter K. Boucher
> <pkboucher801 at gmail.com>; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Skip Broker First-Time Flow?
>
> +1 to what Phillip mentioned.
>
> We were thinking for adding the authenticator OOTB, which will link
> accounts automatically. But didn't added in the end because of security.
> However you're not the first asking for it, so maybe it makes sense -
> as long as this authenticator won't be in the flow by default and
> admin would need to edit the first-broker-login flow on his own risk.
> Feel free to create JIRA (maybe it already exists, so you can add
> comment like "I want it too" and add vote :) )
>
> Marek
>
> On 24/08/17 10:38, Phillip Fleischer wrote:
>> Not sure of your appetite for customization but you can create a copy of
the first login flow and remove or replace the execution steps you don't
want.
>>
>> As far as how you'll create or link the account if none of the existing
executions work, worst case you'd have to write your own.
>>
>> ________________________________
>> From: keycloak-user-bounces at lists.jboss.org
>> <keycloak-user-bounces at lists.jboss.org> on behalf of Peter K. Boucher
>> <pkboucher801 at gmail.com>
>> Sent: Wednesday, August 23, 2017 2:51:48 PM
>> To: keycloak-user at lists.jboss.org
>> Subject: [keycloak-user] Skip Broker First-Time Flow?
>>
>> We have a need to pre-provision user accounts that are to be accessed
>> with SAML from an outside IdP.  These accounts are only ever to be
>> used via SAML from this external IdP (i.e., we never want them to
>> have to use a password to verify anything to Keycloak.
>>
>>
>>
>> Is there any way for the account-linking the first time the user
>> comes in with SAML to happen automatically and silently?
>>
>>
>>
>> We understand that in some circumstances it would be a security hole
>> to allow someone to connect via a brokered IdP to an existing account
>> that has already been used, but these accounts are being created
>> specifically to be accessed by this particular broker.
>>
>>
>>
>> Any help?
>>
>>
>>
>> Thanks!
>>
>>
>>
>> Regards,
>>
>> Peter K. Boucher
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list