[keycloak-user] IdP selection based on email address

Thu Jul 26 05:12:05 EDT 2018

Hello,

Thanks for your reply.
Indeed I managed to write the function attached in javascript and I was able to redirect to an IdP for specific domains.

I have an additional question, I there a way to continue the flow (In my case I would like to optionaly prompt for OTP). 
My current flow is:

"cookies"(alternative)
" Choose User"(required)
Script(select idp) (required) (the script redirect to idp for a domains, otherwise triggers context.success) Subflow forms(optional):
 - Username Password Form (required)
OTP Form (optional).

Did I misunderstood the flow usage? Now when a user is authenticated using my idp but has an OTP, the OTP is not prompted.

Best regards ,

Yann

-------- FUNCTIONS ---------

Authenticate function:
function authenticate(context) {

    var username = user ? user.username : "anonymous";
    if (username.endsWith("mydomain.com")) {
        redirect_to_idp(context, "idpformydomain");
        return;
    }
    context.success();
    return;
}

Function:

AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
ClientSessionCode = Java.type("org.keycloak.services.managers.ClientSessionCode");
Urls = Java.type("org.keycloak.services.Urls");
OAuth2Constants = Java.type("org.keycloak.OAuth2Constants");
Response = Java.type("javax.ws.rs.core.Response");

/**
 * Redirect to Identification provider
 *
 * @param context {@see org.keycloak.authentication.AuthenticationFlowContext}
 * @param providerId : the alias of the provider to use  */

function redirect_to_idp(context, providerId) {
    var identityProviders = context.getRealm().getIdentityProviders();
    var identityProvidersLen = identityProviders.length;
    for (var i = 0; i < identityProvidersLen; i++) {
        identityProvider = identityProviders[i];
        if (identityProvider.isEnabled() && providerId.equals(identityProvider.getAlias())) {
            var accessCode = new ClientSessionCode(context.getSession(), context.getRealm(), context.getAuthenticationSession()).getOrGenerateCode();
            var clientId = context.getAuthenticationSession().getClient().getClientId();
            var tabId = context.getAuthenticationSession().getTabId();
            var location = Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(), providerId, context.getRealm().getName(), accessCode, clientId, tabId);
            if (context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY) != null) 
            {
                location = UriBuilder.fromUri(location).queryParam(OAuth2Constants.DISPLAY, context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY)).build();
            }
            var response = Response.seeOther(location).build();
            LOG.info("Redirecting to %s" + providerId);
            context.forceChallenge(response);
            return;
        }
    }
}