[keycloak-user] Verify email unwanted when users authenticate via Kerberos

Ruch Grégory gregory.ruch at elca.ch
Wed Feb 28 16:44:04 EST 2018


Thank you for your answers!

I used your second idea. It works fine.

Greg

On 28.02.18, 21:11, "Marek Posolda" <mposolda at redhat.com> wrote:

    It's not available OOTB.
    
    There are few extension points, which you can use to achieve that. For 
    example:
    - Create requiredAction (maybe subclass of existing VerifyEmail 
    requiredAction), which will automatically "Approve" in case that user 
    was imported from LDAP (or Kerberos) provider
    - Create registration form action, which will add the requiredAction to 
    the user in case they were registered through the registration form. 
    This assumes that "Verify Email" option on realm level is off
    - Create LDAP mapper, which will automatically set emailVerified to 
    users imported from LDAP (assuming that you use LDAP provider with 
    KErberos support. Not plain Kerberos provider)
    
    Marek
    
    On 27/02/18 21:55, Ruch Grégory wrote:
    > Hi all,
    >
    > I have configured a realm in which I have allowed user registration and Kerberos authentication. For user registration I have activated email address verification. Now my issue is that when I do the first login through Kerberos I also need to validate the email address.
    >
    > I configured it in the same realm because I configured a SAML client application which both self-registered and Kerberos authenticated users need to access.
    >
    > What I want is having self-registered users validating their email address and authenticating themselves with username/password and accessing all trusted applications with SSO. I want to have “corporate” users authenticate with Kerberos and access all trusted applications (same applications as self-registered users).
    >
    > Is there another/ a right way to configure keycloak to do what I would like to do? Or should it be implemented as an option in ldap/Kerberos User federation provider such as “Trust email address” which will bypass the required action “verify email”?
    >
    > Thank you in advance for your help,
    > Regards,
    > Greg
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user
    
    
    




More information about the keycloak-user mailing list