[keycloak-user] Brokered logins only?

pkboucher801 at gmail.com pkboucher801 at gmail.com
Mon Jun 18 08:01:22 EDT 2018


Any way (other than a custom theme that enforces it in the UI) to allow only
brokered logins to a realm?

For reasons beyond my control, the user's password is the same in the IDP as
it is in KC (they point at the same OU in LDAP), but the IDP has been
configured with a particular 2FA method that is not supported by KC. So the
problem is that if the users login with username/password submission on the
KC login page, they can bypass the IDP's 2FA.

We can set the IDP as the default, but kc_idp_hint as a blank value will
bring up the KC login page.

Maybe there's a way to adjust the flows so that brokered login works, but
username/password submission on the KC login page fails (or is not even
offered)?

Maybe setup pre-configured OTPs on the accounts, so that the users can't get
past there? (this would be a bad, confusing UX)

Any other ideas?

Regards,
Peter K. Boucher



More information about the keycloak-user mailing list