[keycloak-user] Prevent federated users from setting a password

[Rens Verhage]

Hi all,

We’re implementing Keycloak in an existing multi-tenant application and have to make a choice: 1 realm for all our tenants or each tenant its own realm?

>From an administrator’s point of view, one single realm for all user accounts seems a good choice. However, there is one important requirement that until now, we haven’t been able to fulfil this way:

A tenant might choose to let their users log in through an external identity provider, ADFS will be fairly common. Users that will log in this way will be required to always do so and therefore are not allowed to set a password in Keycloak. Deleting a user will be as easy as removing the user from the Active Directory.

However, not all tenants will have their own identity provider. For these tenants, users must be able to log in with a username and password. They also get a forgot password link, so they can reset their password once forgotten. Now that raises a problem. Users that log in through their identity provider can use this link to set a password and thus bypass their identity provider. Should such a user be removed from the AD, he or she can still log in using this password.

Can we somehow prevent federated identities from ever setting a password? Or is this not possible and are we forced to setup multiple realms?



Rens