[keycloak-user] Brokered logins only?
mj
lists at merit.unu.edu
Sun Jun 24 13:17:38 EDT 2018
Wow I just noticed your question, after I posted *exactly* the same
question.
I guess that means that I should also not expect a reply... :-)
MJ
On 06/23/2018 08:09 PM, pkboucher801 at gmail.com wrote:
> Am I asking on the wrong list?
>
> Is this question uninteresting? Too easy? Too hard?
>
> -----Original Message-----
> From: pkboucher801 at gmail.com [mailto:pkboucher801 at gmail.com]
> Sent: Monday, June 18, 2018 8:01 AM
> To: keycloak-user at lists.jboss.org
> Subject: Brokered logins only?
>
> Any way (other than a custom theme that enforces it in the UI) to allow only
> brokered logins to a realm?
>
> For reasons beyond my control, the user's password is the same in the IDP as
> it is in KC (they point at the same OU in LDAP), but the IDP has been
> configured with a particular 2FA method that is not supported by KC. So the
> problem is that if the users login with username/password submission on the
> KC login page, they can bypass the IDP's 2FA.
>
> We can set the IDP as the default, but kc_idp_hint as a blank value will
> bring up the KC login page.
>
> Maybe there's a way to adjust the flows so that brokered login works, but
> username/password submission on the KC login page fails (or is not even
> offered)?
>
> Maybe setup pre-configured OTPs on the accounts, so that the users can't get
> past there? (this would be a bad, confusing UX)
>
> Any other ideas?
>
> Regards,
> Peter K. Boucher
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list