[keycloak-user] Enforce Idp login instead of local account for Idp linked accounts?
Byte Flinger
byteflinger at gmail.com
Wed Dec 6 06:03:22 EST 2017
I would like to setup Keycloak with integration towards a SAML Idp but I
have run into a few things I am uncertain how to solve. One thing to keep a
note of is I would like to have the option of using local accounts for
certain users so when mentioned the details below I mean only for the users
who have linked their account through Idp.
1. Is there any way to only have "Verify existing account by
Re-authentication" without "Create User If Unique" in my flow? I want only
users with an existing account to be able to link and login through the Idp
but I do not want a new local account to be created if the Idp user does
not have one already. When I remove the "Create User If Unique" the flow
does not work and I immediately get a "username/password incorrect" error
when I try to login through the Idp
2. Once a user has logged in through the Idp and linked his account, is
there any way to completely disable the local account so the user has to
login through the Idp account (So removal of users on the Idp side, for
example, can be enforced)? If not, maybe some way to achieve the behaviour
by expiring the password for that specific user or something of the sort
3. The idea here is to try to take advantage of the Idp user account so
that if a user has been removed on the Idp side, he is no longer able to
login into keycloak with his local account. Any comments on how to best
achieve this (or best practices) would be welcome
More information about the keycloak-user
mailing list