[keycloak-user] IdP selection based on email address

Mon Jul 30 23:32:27 EDT 2018

Hi Yann,

Is the OTP Forms execution inside the subflow? Could you please attach a screenshot of the overall flow?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2018-07-26 at 09:12 +0000, Yann Jouanin wrote:
> Hello,
> 
> Thanks for your reply.
> Indeed I managed to write the function attached in javascript and I was able to redirect to an IdP for specific domains.
> 
> I have an additional question, I there a way to continue the flow (In my case I would like to optionaly prompt for OTP). 
> My current flow is:
> 
> "cookies"(alternative)
> " Choose User"(required)
> Script(select idp) (required) (the script redirect to idp for a domains, otherwise triggers context.success) Subflow forms(optional):
>  - Username Password Form (required)
> OTP Form (optional).
> 
> Did I misunderstood the flow usage? Now when a user is authenticated using my idp but has an OTP, the OTP is not prompted.
> 
> Best regards ,
> 
> Yann
>  
> -------- FUNCTIONS ---------
> 
> 
> Authenticate function:
> function authenticate(context) {
>     
>     var username = user ? user.username : "anonymous";
>     if (username.endsWith("mydomain.com")) {
>         redirect_to_idp(context, "idpformydomain");
>         return;
>     }
>     context.success();
>     return;
> }
> 
> 
> Function:
> 
> 
> AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
> ClientSessionCode = Java.type("org.keycloak.services.managers.ClientSessionCode");
> Urls = Java.type("org.keycloak.services.Urls");
> OAuth2Constants = Java.type("org.keycloak.OAuth2Constants");
> Response = Java.type("javax.ws.rs.core.Response");
> 
> /**
>  * Redirect to Identification provider
>  *
> >  * @param context {@see org.keycloak.authentication.AuthenticationFlowContext}
>  * @param providerId : the alias of the provider to use  */
>  
> function redirect_to_idp(context, providerId) {
>     var identityProviders = context.getRealm().getIdentityProviders();
>     var identityProvidersLen = identityProviders.length;
>     for (var i = 0; i < identityProvidersLen; i++) {
>         identityProvider = identityProviders[i];
>         if (identityProvider.isEnabled() && providerId.equals(identityProvider.getAlias())) {
>             var accessCode = new ClientSessionCode(context.getSession(), context.getRealm(), context.getAuthenticationSession()).getOrGenerateCode();
>             var clientId = context.getAuthenticationSession().getClient().getClientId();
>             var tabId = context.getAuthenticationSession().getTabId();
>             var location = Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(), providerId, context.getRealm().getName(), accessCode, clientId, tabId);
>             if (context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY) != null) 
>             {
>                 location = UriBuilder.fromUri(location).queryParam(OAuth2Constants.DISPLAY, context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY)).build();
>             }
>             var response = Response.seeOther(location).build();
>             LOG.info("Redirecting to %s" + providerId);
>             context.forceChallenge(response);
>             return;
>         }
>     }
> }
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user